Platform TLS materials
Path: /admin-settings → Platform Secrets tab
Platform Secrets manage the TLS materials used by SIP trunks for mutual TLS (mTLS) authentication. Metadata lives in Postgres; the PEM content is stored in AWS Secrets Manager.
List columns
| Column | Description |
|---|---|
| Key | Unique identifier (monospace, lowercase). |
| Purpose | CA_CERT / CLIENT_CERT / CLIENT_KEY. |
| Description | Optional notes. |
| Updated | Last modification. |
| Actions | Edit, Set Secret, Delete. |
Fields
| Field | Required | Description |
|---|---|---|
| Key | Yes | Lowercase + digits + underscores. Immutable. |
| Purpose | Yes | CA_CERT / CLIENT_CERT / CLIENT_KEY. Immutable. |
| Description | No | Notes. |
Set Secret
The PEM content is managed via the Set Secret action:
| Field | Required | Description |
|---|---|---|
| Secret Value | Yes | PEM-encoded cert or key. |
| Confirm Value | Yes | Must match. |
PEM content is stored in AWS Secrets Manager and never displayed in the UI after saving.
Workflows
Add a CA certificate
- Click Create.
- Key: e.g.
twilio_ca_cert. - Purpose:
CA_CERT. - Description: e.g. "Twilio carrier CA".
- Save.
- Set Secret → paste PEM → confirm.
Add a client certificate + key for mTLS
- Create one material with Purpose
CLIENT_CERT; set its PEM. - Create another with Purpose
CLIENT_KEY; set its PEM. - In SIP Trunks, reference the CA in TLS CA Certificate, enable Require Client Certificate, and configure Peer Name Verification as needed.
See also
- SIP trunks.
- Internal encryption rollout.
- Team overview — team-side Secrets Manager configuration.