Skip to content

Install certificates


This guide provides information about TLS certificates and how to deal with their deployment on a Punchplatform.

Terminology :

  • TLS : Transport Layer Security, in any version
  • CA : Certificate Authority that issues digital certificates
  • PKI : Public Key Infrastructure that creates, manages, distributes, encrypts and revoke digital certificates
  • Certificates : concern the public key/private key pair, and the related CA (if needed)

Provide the certificates

The Punchplatform deployer is not in charge of the certificate's providing. Any user who deploys the Punchplatform should get all the digital certificates from a proper PKI.


Certificates deployment

To install your certificates to the different servers, use the certificates configuration inside punchplatform-deployment.settings

All your certificates will be copied from the source directory to /data/opt/certificates with :

  • 600 Unix permissions
  • punchplatform_daemons_user for owner's permissions, from punchplatform-deployment.settings configuration file
  • punchplatform_group for group's permissions, from punchplatform-deployment.settings configuration file

Supported formats :

  • .pem key files
  • .p12 PKCS12 keystore files
  • .jks JAVA keystore files
  • .keystore keystore files

Finally, spread the certificates over the platform : --deploy -Kk --tags certificates


This role can be used to patch a platform : it replaces previous certificates with new ones as long as the names match, between the files inside the source folder and those inside /data/opt/certificates.