X.509 Certificates

An X.509 certificate stores a single PEM-encoded certificate. Unlike a TLS bundle, it does not include a private key or a CA certificate -- it holds one certificate file only.

When to use an X.509 certificate

• Your application needs to trust an intermediate CA or cross-signed certificate
• You distribute a signing certificate that other services validate against
• A third-party integration requires you to supply a client certificate separately from the key
• You need to pin a specific certificate for verification purposes

What Bahriya extracts

When you upload an X.509 certificate, Bahriya parses it and stores metadata alongside the encrypted material:

This metadata is visible in list views and detail pages so you can spot expiring certificates at a glance.

Mounting in containers

When you attach an X.509 certificate to a container, you choose a mount path. The certificate file appears as:

<mount-path>/cert.pem    # The certificate

Your application reads it from this path. For example, a service that validates upstream signatures might reference /etc/certs/cert.pem.

Rotation

Rotation creates a new version of the certificate. The previous version is retained for rollback. After rotation:

• File-mounted containers pick up the new certificate automatically within about 60 seconds. No manual action needed.
• If you need to force a restart, use the Redeploy button on the Consumers panel.

Pricing

X.509 certificates are billed at $0.02 per month while they exist, plus $0.02 per region per month when attached to a project.

See also

• Deploy X.509 Certificates with Terraform
• Deploy X.509 Certificates with Reis (YAML Mode)
• Deploy X.509 Certificates with Reis (Flag Mode)