> ## Documentation Index > Fetch the complete documentation index at: https://docs.xloud.tech/llms.txt > Use this file to discover all available pages before exploring further. # Certificate Management > Store externally issued TLS certificates and order new certificates through CA plugins in Xloud Key Manager. Manage the full certificate lifecycle from. ## Overview Xloud Key Manager supports two certificate workflows: storing externally issued certificates from your existing CA, and ordering certificates through a configured CA plugin for automated issuance. Both workflows produce a certificate container that can be consumed by the Load Balancer service for HTTPS termination. **Prerequisites** * An active Xloud account with appropriate permissions * Access to the **Xloud Dashboard** or CLI configured with credentials * API credentials sourced (`source openrc.sh`) *** ## Store an Existing Certificate Use this workflow when you have an externally issued certificate (Let's Encrypt, DigiCert, your enterprise CA, etc.) and want to store it in Key Manager. ```bash title="Store the X.509 certificate" theme={null} openstack secret store \ --name app-tls-cert \ --secret-type certificate \ --payload-content-type "application/pkix-cert" \ --payload-content-encoding base64 \ --payload "$(base64 -w 0 certificate.pem)" ``` ```bash title="Store the private key" theme={null} openstack secret store \ --name app-tls-key \ --secret-type private \ --payload-content-type "application/pkcs8" \ --payload-content-encoding base64 \ --payload "$(base64 -w 0 private_key.pem)" ``` ```bash title="Store CA chain" theme={null} openstack secret store \ --name app-ca-chain \ --secret-type certificate \ --payload-content-type "application/pkix-cert" \ --payload-content-encoding base64 \ --payload "$(base64 -w 0 ca-chain.pem)" ``` ```bash title="Bundle into certificate container" theme={null} openstack secret container create \ --name app-tls-bundle \ --type certificate \ --secret "certificate=" \ --secret "private_key=" \ --secret "intermediates=" ``` Container is ready to reference in Load Balancer HTTPS listener configuration. *** ## Order a Certificate Certificate orders automate issuance through a Certificate Authority plugin configured by your administrator. ```bash title="Create a certificate order" theme={null} openstack secret order create certificate \ --name app-cert-order \ --algorithm rsa \ --bit-length 2048 \ --subject-dn "CN=app.example.com,O=Example Corp,C=US" ``` ```bash title="Check order status" theme={null} openstack secret order show ``` When the order status reaches `ACTIVE`, retrieve the issued certificate container: ```bash title="Get the issued certificate container" theme={null} openstack secret order show -c container_ref ``` Certificate order availability depends on your platform's CA plugin configuration. Contact your administrator to verify which CA backends are enabled. ```bash title="List all certificate orders" theme={null} openstack secret order list ``` ```bash title="Show order detail" theme={null} openstack secret order show ``` ```bash title="Delete an order" theme={null} openstack secret order delete ``` *** ## Certificate Lifecycle Management | Stage | Action | Notes | | -------------- | -------------------------------------------- | ----------------------------------- | | **Issuance** | Store or order via CA plugin | Creates certificate + key secrets | | **Deployment** | Create container, reference in Load Balancer | Bundles cert + key + chain | | **Monitoring** | Track expiration date externally | Key Manager sends no alerts | | **Renewal** | Store new certificate, update container | Update Load Balancer reference | | **Revocation** | Delete old secrets after transition | Update all service references first | Set calendar reminders at 60 days, 30 days, and 7 days before certificate expiration. Renew the certificate and update the Load Balancer listener reference at least 14 days before expiry to allow for propagation and testing. *** ## Verify a Certificate ```bash title="Retrieve certificate and check expiry" theme={null} openstack secret get --payload | \ openssl x509 -noout -dates -subject ``` ```bash title="Verify certificate matches private key" theme={null} openstack secret get --payload > /tmp/cert.pem openstack secret get --payload > /tmp/key.pem diff <(openssl x509 -noout -modulus -in /tmp/cert.pem | md5sum) \ <(openssl rsa -noout -modulus -in /tmp/key.pem | md5sum) ``` If both `md5sum` values match, the certificate and private key are a valid pair. *** ## Next Steps Bundle certificates into containers for Load Balancer use Control which users and services can access certificate secrets Store other secret types alongside certificates Resolve certificate container and order issues