Where to store SSL certificates for a 12-factor app

Question

A Twelve factor app is expected to store configuration in the environment.

Is this intended to include SSL certificate and key files, which can be "large" (multiples of kb at least), and (depending on the format), often contain non-printable characters (newlines at minimum).

Or is the environment expected just to point to the cert/key file names? (This seems perhaps non-ideal when trying to deploy via Docker, for instance--we don't really want to store private keys in the docker image, do we? But maybe that's a separate question.)

Answer 1

An SSL certificate is (strictly seen) not a configuration but an asset file.

How you provide this asset depends on your way of hosting. But here are some options:

An easy way is to integrate letsencrypt and use certbot which handles the downloading of the certs securly and automatically. letsencrypt has some integrations for some languages (e.g. go has several clients that can be integrated into an app).

You could use a load balancer and terminate the ssl at the load balancer. In this case your app does not need to know anything about the cert.

Kubernetes provides secrets that can store certs safely and copy those files on deployment to a pod (simplified: A pod is a package that thinly wraps a docker container including your app).

Kubernetes can also use Ingress as a LoadBalancer which terminates the ssl.

Another option is to use hashicorp's Vault. This is a service that manages and distributes secrets.

Surely, there are more options and these are just hints. But the secure storing and distrubution of ssl certificates is no easy task. I hope I have given some good hints.