How to manage private keys

You can manage private keys used by the charm to generate the certificate signing requests (CSR) by storing the private key in a juju secret and then referencing the secret in the charm configuration.

Store the private key in a Juju secret

To store the private key in a juju secret, run the following command:

user@host:~$

juju add-secret tls-peer-private-key private-key=$(base64 -w0 private-key.key)

secret:cuni0uh34trs5tihuf9g

You can use the secret ID from the output to reference the secret in the charm configuration.

Now that the secret is stored, you can grant the secret to the application using the following command:

user@host:~$

juju grant charmed-etcd tls-peer-private-key

Reference the secret in the charm configuration

For example, to set the private key for the peer-to-peer communication, run

user@host:~$

juju config charmed-etcd tls-peer-private-key=secret:cuni0uh34trs5tihuf9g

Once the configuration is set, the charm will use the private key stored in the secret to generate new certificate signing requests (CSR) to acquire new certificates from the TLS provider.

Setting the private key for the client-to-server communication is similar to the peer-to-peer communication. You can set the private key for the client-to-server communication by running:

user@host:~$

user@host:~$

juju add-secret tls-client-private-key private-key=$(base64 -w0 private-key.key)

user@host:~$

juju grant-secret tls-client-private-key charmed-etcd

user@host:~$

juju config charmed-etcd tls-client-private-key=<SECRET_ID>