# TLS/SSL Certificates

## Provisioning TLS/SSL Certificates 🔐 <a href="#tls-cert-provisioning" id="tls-cert-provisioning"></a>

Based on the "certs" variable present in the inventory file, it is possible to specify SSL certificates other than the "self-signed" ones generated by the default installation procedure.

The possible options are:

* **selfsigned**: will deploy a self-signed certificate (not recommended for production environments).
* **custom**: If the idea is to implement custom certificates, you should place the corresponding certificate and private key files under the instances/tenant\_folder directory, named cert.pem and key.pem, respectively.
* **certbot**: will deploy an instance with a certificate generated by Let's Encrypt SSL.

In addition to that, port 80 must be accessible from the CA on the Internet (Certificate Authority), and we must have a valid email to receive renewals from the Let's Encrypt provider. When working with self-generated certificates using Certbot, we must ensure that our instance has a valid FQDN (Fully Qualified Domain Name) and its corresponding DNS resolution.

```
certs: certbot
fqdn: omlinstance.domain.com
notification_email: your_email@domain.com
```

All methods apply to both new installations and updates, \_except for Certbot (not available for upgrade procedures