Skip to content

Deploy certificates


This guide provides information about TLS certificates and how to deal with their deployment on a Punchplatform.

Terminology :

  • TLS : Transport Layer Security, in any version
  • CA : Certificate Authority that issues digital certificates
  • PKI : Public Key Infrastructure that creates, manages, distributes, encrypts and revoke digital certificates
  • Certificates : concern the public key/private key pair, and the related CA (if needed)

Provide the certificates

The Punchplatform deployer is not in charge of the certificate's providing. Any user who deploys the Punchplatform should get all the digital certificates from a proper PKI.

Certificates installation

To install your certificates to the different servers, use the certificates configuration inside punchplatform-deployment.settings

All your certificates will be copied from the source directory to {setups_root}/certificates with :

  • 600 Unix permissions
  • punchplatform_daemons_user for owner's permissions, from punchplatform-deployment.settings configuration file
  • punchplatform_group for group's permissions, from punchplatform-deployment.settings configuration file


{setups_root} value is related to the platform configuration inside the punchplatform-deployment.settings file. Check punchplatform-deployment.settings documentation.

Supported formats :

  • .pem key files
  • .p12 PKCS12 keystore files
  • .jks JAVA keystore files
  • .keystore keystore files

Finally, spread the certificates over the platform : --deploy -Kk --tags certificates


This role can be used to patch a platform : it replaces previous certificates with new ones as long as the names match, between the files inside the source folder and those inside /data/opt/certificates.

Update certificates

To update your certificates, use the certificates role. The new ones matching the mame of those already deployed are ignored to prevent the overwriting risks.