Basic concepts of the Certificate API
Last updated on
STACKIT Certificate API integrates with STACKIT Application Load Balancer (ALB) to help you manage TLS/SSL certificates securely and efficiently. This integration ensures encrypted communication between clients and your applications running behind STACKIT Application Load Balancer.
By using STACKIT Certificate API, you can:
- Store TLS/SSL certificates securely.
- Access detailed certificate metadata, which is automatically extracted from your public keys.
- Track certificate usage, to see which load balancers and listeners are using which certificate.
- Manage certificates dynamically.
- Retrieve and use stored certificates when creating HTTPS listeners for the ALB.
- Enable encrypted communication for applications behind the ALB.
Certificate name
Section titled “Certificate name”A unique name you assign to each TLS/SSL certificate.
Public key (certificate)
Section titled “Public key (certificate)”The public part of the TLS certificate, issued by a Certificate Authority (CA) or self-signed. Clients use this certificate to establish secure connections and verify your application’s authenticity.
Private key
Section titled “Private key”The secret key paired with the public certificate. The private key is required for decryption and to establish secure TLS connections. The system stores this key securely—never share it.
Certificate ID
Section titled “Certificate ID”A unique identifier for each TLS/SSL certificate stored in STACKIT Certificate API.
Certificate metadata
Section titled “Certificate metadata”As soon as a certificate is stored, the Certificate API extracts certain technical details from the public key, which you can view through the API:
- SHA256 fingerprint: The SHA256 hash of the raw certificate bytes.
- SHA1 fingerprint: The legacy SHA1 hash for cross-referencing with older systems.
- Subject CN: The primary identity (Common Name) of the certificate.
- Fallback sequence is: Common Name → First DNS Name → Full Subject String.
- Issuer CN: The Common Name (CN) of the Certificate Authority (CA) that issued the certificate.
- Organization: The organization name associated with the certificate subject.
- DNS names: List of all domains and IP addresses the certificate is valid for (Subject Alternative Names - SANs).
- Serial number: The unique hexadecimal serial number assigned by the CA.
- Not before: The timestamp indicating when the certificate becomes valid.
- Not after: The expiration timestamp, after which the certificate is invalid.
- Is CA: A boolean that indicates, if the certificate is a Certificate Authority.
- Is self-signed: A boolean that indicates, if the certificate was signed by its own private key.
- Key strength: Summary of the public key’s algorithm and bit-length (RSA-2048 or ECDSA-P-256, for example). Defaults to “unknown”, if neither RSA nor ECDSA is detected.
- Extended key usage: Describes the purpose that the certificate is intended for.
- For every listed usage, the API adds an entry and can identify “Server Authentication (SSL/TLS Server)”, which is required for a load balancer, “Client Authentication (mTLS)”, “Any usage” and “Other usage”.
- Signature algorithm: The algorithm used by the CA to sign the certificate.
- Public key algorithm: The cryptographic algorithm used for the key pair (RSA or ECDSA, for example).
How certificate management works
Section titled “How certificate management works”This section explains how to store a TLS certificate and use it with STACKIT Application Load Balancer.
Store a TLS certificate with the STACKIT Portal
Section titled “Store a TLS certificate with the STACKIT Portal”- Enter a certificate name.
- Enter the public certificate (public key).
- Enter the private key.
- Certificate API stores the certificate securely and returns a certificate ID.
Use a stored certificate with STACKIT Application Load Balancer
Section titled “Use a stored certificate with STACKIT Application Load Balancer”- Provide the certificate ID when you create an HTTPS listener.
- The ALB retrieves the certificate and private key to enable encrypted traffic.
For more details, refer to the STACKIT Certificate API documentation.