TLS Certificate Management
Overview
TLS Certificate Management system provides a centralized, secure way to manage TLS certificates across your entire data pipeline infrastructure. With automated certificate lifecycle management, you can ensure secure communications between sources and destinations while reducing operational overhead.
Key Benefits
Centralized Management: Store and manage all TLS certificates in one location, eliminating scattered certificate files across your infrastructure.
Reusable Certificates: Use the same certificate across multiple data sources and destinations, simplifying certificate deployment and renewal.
Usage Protection: The system prevents accidental deletion of certificates that are actively in use by your sources or destinations.
Automatic Metadata Extraction: The system automatically extracts issuer, subject, SANs, common name, and expiration date from your certificate files.
Enterprise-Grade Security: All sensitive data including certificates, private keys, and passphrases are encrypted at rest using AES-256-GCM encryption.
Automated Expiration Monitoring(Planned): Receive proactive alerts as the expiration date approaches.
How It Works
Observo's certificate management system uses an event-driven architecture to synchronize certificates across your sites automatically. When you add, update, or delete a certificate, the changes are immediately propagated to all relevant sites where your data sources and destinations operate.
Getting Started
Adding a Certificate
Navigate to Pipeline Manager -> Settings -> Certificates in the Observo UI sidebar.
Click the Add Certificate button in the top right.
Fill in the required fields:
Name: A unique identifier for this certificate within the selected site
Description: (Optional) Additional context about the certificate's purpose
Certificate: Upload or paste your PEM-formatted certificate
Private Key: Upload or paste your PEM-formatted private key
Passphrase: (Optional) If your private key is encrypted
CA Certificate: (Optional) Certificate authority chain if required
Add Certificate Click Save to upload the certificate.
The system will automatically extract certificate metadata (issuer, subject, common name, expiration date, and SANs) and display them in the certificate list.
Understanding Certificate Information
Once uploaded, the certificate list displays important information at a glance:
Name
The unique identifier you assigned to this certificate
Description
Optional notes about the certificate's purpose or usage
Status
Current state: Active, Expired, or Deleted
Expiry Date
When the certificate will expire (automatically extracted from the certificate)
Using Certificates in Your Data Pipeline
Once a certificate is uploaded and active, you can reference it in your source and destination configurations:
When configuring a source or destination that requires TLS, select the certificate from the dropdown menu, or you can add a new certificate using Create button.
Use Certificate 
View Certificate The system will automatically apply the certificate to establish secure connections.
You can reuse the same certificate across multiple sources and destinations without re-uploading.
Updating Certificates
When you need to update a certificate (such as during renewal), the system makes it easy:
Click on the certificate name in the list to open the Edit Certificate dialog.
Upload the new certificate and private key files.
Click Save to update.
Edit Certificates
Certificate Expiration Monitoring
Observo automatically monitors all certificates for expiration and provides proactive alerts to prevent service disruptions.
Viewing Expiring Certificates
You can quickly identify certificates that need attention by viewing the Expiry Date column in the certificate list. Certificates expiring soon will be prominently highlighted, and you can filter the view to show only expiring certificates.
Deleting Certificates
Observo provides safety mechanisms to prevent accidental deletion of certificates that are actively in use.
Usage Protection
When you attempt to delete a certificate:
You'll see a warning message.
You'll have the option to either cancel the deletion or force it (if you're certain you want to proceed).
Upon Delete, Observo marks the certificate as deleted but retains the record.
Immediately clears all sensitive data (certificate, private key, passphrase) for security.
Important: Force deleting a certificate that's in use may cause connection failures for the affected sources and destinations. Always update configurations to use a different certificate before deleting.
Understanding TLS Client and Server Roles
When configuring TLS for sources and destinations, it's important to understand which component acts as the TLS client and which acts as the server, as this determines where certificates and CA files must be placed.
Sources:
Pull-based sources: Observo acts as the TLS client
Certificate requirement: The remote server's CA certificate must be available to Observo
Example:
Source Type: HTTP Collector
TLS Settings: Enabled
Push-based sources (external systems push data to Observo): Observo acts as the TLS server
Certificate requirement: Observo's server certificate and private key must be configured
Example:
Source Type: Syslog
TLS Settings: Enabled
Push based Source
Destinations:
All destinations: Observo acts as the TLS client
Observo initiates connections to external systems
Certificate requirement: The destination server's CA certificate must be available to Observo
Example:
Security Features
Security is paramount in certificate management. Observo implements multiple layers of protection for your sensitive data.
Encryption at Rest
All sensitive certificate data is encrypted using AES-256-GCM encryption, the industry standard for data security. This includes:
Certificate files (PEM format)
Private keys
Passphrases
CA certificates
Encryption and decryption happen transparently, ensuring your certificates are protected both in storage and during transmission to your sites.
Access Control
Certificate access is controlled at the site level:
Users can only view and manage certificates for sites they have permission to access.
Role-based access control (RBAC) ensures appropriate authorization levels.
All certificate operations are logged for audit purposes.
Path Immutability
Once a certificate is created, its internal file path cannot be changed. This ensures:
Consistent references across all sources and destinations
Prevention of accidental path changes that could break configurations
Reliable certificate updates without disrupting existing deployments
Best Practices
Certificate Naming Conventions
Use descriptive names that indicate the certificate's purpose, such as 'prod-api-tls' or 'staging-kafka-cert'.
Include environment indicators (prod, staging, dev) to quickly identify which certificates to be used.
Avoid special characters in certificate names; stick to alphanumeric characters and hyphens.
Certificate Organization
Use labels to organize certificates by environment, team, or application for easier management.
Document certificate purposes in the description field to help team members understand their usage.
Maintain separate certificates for different environments (production, staging, development) rather than reusing the same certificate.
Certificate Renewal Management
Monitor expiration alerts and address them promptly, ideally when you receive the 30-day advance notice.
Test renewed certificates in non-production environments before deploying to production.
Keep backup certificates available for quick rollback if a renewed certificate causes issues.
Last updated
Was this helpful?