TLS Bundles

A TLS bundle stores the three pieces of certificate material your containers need for encrypted communication: a CA certificate, a server certificate, and a private key.

When to use a TLS bundle

• Your container serves HTTPS traffic and you manage your own certificates
• You need mTLS (mutual TLS) between services
• A managed database or cache requires TLS connections and you supply your own CA

What Bahriya extracts

When you upload a TLS bundle, Bahriya parses the certificate and stores metadata alongside the encrypted material:

This metadata is visible in list views and detail pages so you can spot expiring certificates at a glance.

Mounting in containers

When you attach a TLS bundle to a container, you choose a mount path. The three files appear as:

<mount-path>/ca.crt     # CA certificate
<mount-path>/tls.crt    # Server certificate
<mount-path>/tls.key    # Private key

Your application reads them from this path. For example, an Nginx container might reference /etc/tls/tls.crt and /etc/tls/tls.key.

Rotation

Rotation creates a new version of the bundle with updated certificate material. The previous version is retained for rollback. After rotation:

• File-mounted containers pick up the new certificates automatically within about 60 seconds. No manual action needed.
• If you need to force a restart, use the Redeploy button on the Consumers panel.

Private key visibility

The private key is never displayed in the console, API responses, or CLI output. It is stored encrypted at rest and only decrypted when rendering the manifest that deploys to your containers.

Pricing

TLS bundles are billed at $0.02 per month while they exist, plus $0.02 per region per month when attached to a project.

See also

• Deploy TLS Bundles with Terraform
• Deploy TLS Bundles with Reis (YAML Mode)
• Deploy TLS Bundles with Reis (Flag Mode)