> ## Documentation Index
> Fetch the complete documentation index at: https://docs.gcore.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Configure secrets for HTTPS load balancer

export const MethodSection = ({children}) => children ?? null;

export const MethodSwitch = ({children}) => {
  const tabs = React.Children.toArray(children).map(c => {
    if (!c || !c.props) return null;
    if (c.props.id) return c;
    const inner = c.props.children;
    if (inner && inner.props && inner.props.id) return inner;
    return null;
  }).filter(Boolean);
  const firstId = tabs.length > 0 ? tabs[0].props.id : "";
  const [active, setActive] = React.useState(firstId);
  React.useEffect(() => {
    try {
      const saved = localStorage.getItem("gcore_docs_method");
      if (saved && tabs.find(t => t.props.id === saved)) {
        setActive(saved);
      }
    } catch (_) {}
  }, []);
  React.useEffect(() => {
    try {
      document.querySelectorAll("h2[id], h3[id]").forEach(heading => {
        const visible = heading.offsetParent !== null;
        document.querySelectorAll(`a[href="#${heading.id}"]`).forEach(link => {
          if (link.closest("h1,h2,h3,h4,h5,h6")) return;
          const li = link.closest("li");
          if (li) li.style.display = visible ? "" : "none";
        });
      });
    } catch (_) {}
    window.dispatchEvent(new Event("scroll"));
  }, [active]);
  const handleClick = id => {
    setActive(id);
    try {
      localStorage.setItem("gcore_docs_method", id);
    } catch (_) {}
  };
  return <div>
      <div className="not-prose flex gap-0 border-b border-zinc-200 dark:border-zinc-800 mb-8 mt-2" role="tablist">
        {tabs.map(tab => {
    const isActive = active === tab.props.id;
    return <button key={tab.props.id} role="tab" aria-selected={isActive} onClick={() => handleClick(tab.props.id)} className={["px-4 py-2 text-sm font-medium border-b-2 -mb-px transition-colors cursor-pointer", isActive ? "border-primary text-primary" : "border-transparent text-zinc-500 hover:text-zinc-800 dark:hover:text-zinc-200"].join(" ")}>
              {tab.props.label}
            </button>;
  })}
      </div>

      {tabs.map(tab => <div key={tab.props.id} style={{
    display: active === tab.props.id ? "" : "none"
  }}>
          {tab.props.children}
        </div>)}
    </div>;
};

<MethodSwitch>
  <MethodSection id="portal" label="Customer Portal">
    <p>Secrets Manager is a dedicated section for managing SSL/TLS secrets required to create Load Balancers with HTTPS listeners. Secrets can be added either as a base64-encoded PKCS12 file or as individual certificate fields.</p>

    ## Upload a PKCS12 file

    <p>If a PKCS12 file is already available, paste its base64-encoded content directly into Secrets Manager — no manual certificate fields needed.</p>

    <Steps>
      <Step title="Open Secrets Manager">
        <p>In the [Gcore Customer Portal](https://portal.gcore.com), navigate to **Cloud** and click **Secrets Manager** in the left menu. Click **Create Secret**.</p>

        <Frame>
          <img src="https://mintcdn.com/gcore/yrEa6OGy4Q_zWlXb/images/docs/cloud/secrets-manager/upload-a-pkcs12-file/secrets-manager-page.png?fit=max&auto=format&n=yrEa6OGy4Q_zWlXb&q=85&s=1c2ba444d27fa4257f823137dfdffc8c" alt="Secrets Manager page with Create Secret button" width="1400" height="900" data-path="images/docs/cloud/secrets-manager/upload-a-pkcs12-file/secrets-manager-page.png" />
        </Frame>
      </Step>

      <Step title="Enable PKCS12 upload">
        <p>Enable the **Upload as PKCS12 file** toggle.</p>

        <Frame>
          <img src="https://mintcdn.com/gcore/yrEa6OGy4Q_zWlXb/images/docs/cloud/secrets-manager/upload-a-pkcs12-file/upload-as-pkcs12-file.png?fit=max&auto=format&n=yrEa6OGy4Q_zWlXb&q=85&s=c33eb8860ce03accb66388ead299b75e" alt="Create Secret form with Upload as PKCS12 file toggle enabled" width="1400" height="900" data-path="images/docs/cloud/secrets-manager/upload-a-pkcs12-file/upload-as-pkcs12-file.png" />
        </Frame>
      </Step>

      <Step title="Enter secret details">
        1. In the **Name** field, enter a name for the secret.
        2. In the **Secret content** field, paste the base64-encoded PKCS12 content.
        3. Click **Save**.
      </Step>
    </Steps>

    ## Add certificates directly

    <p>If no PKCS12 file is available, certificate details can be entered individually in Secrets Manager.</p>

    <Steps>
      <Step title="Open Secrets Manager">
        <p>In the Customer Portal, navigate to **Cloud** and click **Secrets Manager** in the left menu. Click **Create Secret**.</p>
      </Step>

      <Step title="Fill in the certificate fields">
        <p>In the form that opens, complete the following fields and click **Save**:</p>

        1. In the **Name** field, enter a name for the secret.
        2. In the **Private key** field, paste the private key file content.
        3. In the **Certificate** field, paste the SSL/TLS certificate file content.
        4. Optionally, in the **Certificate chain** field, paste the intermediate CA certificate content. If the CA provides multiple intermediate certificates, include them all.

        <Frame>
          <img src="https://mintcdn.com/gcore/yrEa6OGy4Q_zWlXb/images/docs/cloud/secrets-manager/upload-a-pkcs12-file/add-certificates-directly.png?fit=max&auto=format&n=yrEa6OGy4Q_zWlXb&q=85&s=55ef53a9a1a8e8775ecec969f5a5f415" alt="Create Secret form with Private key, Certificate, and Certificate chain fields" width="1400" height="900" data-path="images/docs/cloud/secrets-manager/upload-a-pkcs12-file/add-certificates-directly.png" />
        </Frame>
      </Step>
    </Steps>

    ## Create a PKCS12 file

    <p>PKCS12 (Public-Key Cryptography Standards) is a binary format for storing an SSL/TLS certificate, certificate chain, and private key in one encrypted file. The three elements are combined so they can be transported and loaded together. Each is essential for an HTTPS connection:</p>

    * The main certificate is a digital signature of the site that confirms the domain belongs to its registered owner.
    * The certificate chain contains the certificate authorities (CAs) that issued and validated the certificate.
    * The private key is the cryptographic key used to encrypt data exchanged between the server and clients.

    <p>Once the PKCS12 file is ready, encode its contents to base64 and paste the result into the **Secret content** field when creating a secret in Secrets Manager.</p>

    ### 1. Prepare certificate files

    <p>Three files are needed: the SSL/TLS certificate for the domain, the certificate chain, and the private key. The domain must point to the virtual IP address of the Load Balancer via a DNS A record — Gcore [DNS records](/dns/dns-records/manage-dns-records-advanced-interface-mode-with-balancing) support load-balanced A record configurations.</p>

    <p>A CA does not always include the certificate chain with the main certificate — sometimes only the main certificate is provided, as browsers can often validate a domain name without the full chain. To obtain the certificate chain separately:</p>

    1. Download the root and intermediate certificates from the CA that issued the certificate.
    2. Create a new file in any text editor.
    3. If the CA provides a certificate chain separately, create a chain file containing only the intermediate and root CA certificates — not the domain certificate. Place them in the following order:

    * Content of the root certificate (for example, `CARoot.crt`)
    * Content of intermediate certificate no. 1 (for example, `Intermediate1.crt`)
    * Content of intermediate certificate no. 2 (for example, `Intermediate2.crt`)

    ### 2. Merge certificate files into PKCS12

    <p>With all files available, merge them into PKCS12 format. The steps below cover the most common case — creating a PKCS12 file from PEM-format inputs.</p>

    1. Install [OpenSSL](https://openssl.org) — a library for working with SSL/TLS protocols.
    2. Check that the certificate files are in PEM format. PEM files have the extension `.pem`, `.crt`, `.cer`, or `.key`, and begin with `-----BEGIN CERTIFICATE-----`, ending with `-----END CERTIFICATE-----`.
    3. If any files are not in PEM format, convert them using OpenSSL. Replace the text in square brackets with the actual file names.

    **For `.crt`, `.cer`, or `.der` files:**

    ```sh theme={null}
    openssl x509 -inform der -in [filename.ext] -out [output].pem
    ```

    **For `.p7b` or `.p7c` files:**

    ```sh theme={null}
    openssl pkcs7 -print_certs -in [filename.ext] -out [output].cer
    ```

    4. Place the main certificate, private key, and certificate chain (three PEM files) in the working directory.
    5. Merge the files into PKCS12:

    ```sh theme={null}
    openssl pkcs12 -export -inkey [private-key.key] -in [certificate.crt] -certfile [chain.crt] -passout pass: -out [output].p12
    ```

    <p>With files `server.crt` (certificate), `server.key` (private key), and `ca-chain.crt` (certificate chain):</p>

    ```sh theme={null}
    openssl pkcs12 -export -inkey server.key -in server.crt -certfile ca-chain.crt -passout pass: -out server.p12
    ```

    ### 3. Base64 encode

    <p>Encode the PKCS12 file contents to base64.</p>

    **Windows:**

    ```sh theme={null}
    certutil.exe -encode [path\to\file.p12] [output].b64
    ```

    <p>Open the resulting `.b64` file in a text editor and delete the first and last lines (`-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----`). The remaining text is the Secret content.</p>

    **macOS:**

    ```sh theme={null}
    openssl base64 -in [path/to/file.p12] -out [output].txt
    ```

    <p>The resulting `.txt` file contains the base64-encoded PKCS12 content to paste into **Secret content**.</p>

    **Linux** (run in the directory containing the PKCS12 file):

    ```sh theme={null}
    base64 [filename.p12] > [output]
    ```

    <p>The output file contains the base64-encoded content. Open it with `nano [output]` to copy the content.</p>

    ## HTTPS listener setup

    <Info>
      A secret in use by a Load Balancer listener cannot be deleted. To remove a secret, delete the associated listener first, then delete the secret. Recreate the listener afterward if needed.
    </Info>

    <p>An HTTPS Load Balancer listener with TLS termination references the secret by ID — the [HTTPS listener guide](/cloud/networking/load-balancers/add-certificates-to-load-balancer) covers listener creation and SNI configuration.</p>
  </MethodSection>

  <MethodSection id="api" label="REST API">
    <p>Use the Gcore API to create TLS certificate secrets for HTTPS load balancer listeners — PEM-formatted certificate files are accepted directly, without PKCS12 conversion.</p>

    <Info>
      An [API token](/account-settings/api-tokens) is required, along with a [project ID](/api-reference/cloud/projects/list-projects) and a [region ID](/api-reference/cloud/regions/list-regions).
    </Info>

    <p>Set the following environment variables before running the examples:</p>

    ```bash theme={null}
    export GCORE_API_KEY="{YOUR_API_KEY}"
    export GCORE_CLOUD_PROJECT_ID="{YOUR_PROJECT_ID}"
    export GCORE_CLOUD_REGION_ID="{YOUR_REGION_ID}"
    ```

    ## Quickstart

    <p>The scripts below create a TLS certificate secret from PEM files and print the secret ID for use in a load balancer listener.</p>

    <Tabs>
      <Tab title="Python SDK">
        ```python theme={null}
        import os
        from gcore import Gcore

        client = Gcore()

        # Step 1. Load PEM certificate files.
        with open("certificate.pem") as f:
            certificate = f.read()
        with open("private_key.pem") as f:
            private_key = f.read()
        with open("certificate_chain.pem") as f:
            certificate_chain = f.read()

        # Step 2. Create the TLS certificate secret.
        secret = client.cloud.secrets.upload_tls_certificate_and_poll(
            name="my-tls-secret",
            payload={
                "certificate": certificate,
                "private_key": private_key,
                "certificate_chain": certificate_chain,
            },
        )
        print(f"Secret ID: {secret.id}")
        print(f"Status:    {secret.status}")
        ```
      </Tab>

      <Tab title="Go SDK">
        ```go theme={null}
        package main

        import (
            "context"
            "fmt"
            "log"
            "os"

            gcore "github.com/G-Core/gcore-go"
            "github.com/G-Core/gcore-go/cloud"
        )

        func main() {
            client := gcore.NewClient()
            ctx := context.Background()

            // Step 1. Load PEM certificate files.
            certificate, err := os.ReadFile("certificate.pem")
            if err != nil {
                log.Fatal(err)
            }
            privateKey, err := os.ReadFile("private_key.pem")
            if err != nil {
                log.Fatal(err)
            }
            certChain, err := os.ReadFile("certificate_chain.pem")
            if err != nil {
                log.Fatal(err)
            }

            // Step 2. Create the TLS certificate secret.
            secret, err := client.Cloud.Secrets.UploadTlsCertificateAndPoll(ctx, cloud.SecretUploadTlsCertificateParams{
                Name: "my-tls-secret",
                Payload: cloud.SecretUploadTlsCertificateParamsPayload{
                    Certificate:      string(certificate),
                    PrivateKey:       string(privateKey),
                    CertificateChain: string(certChain),
                },
            })
            if err != nil {
                log.Fatal(err)
            }
            fmt.Printf("Secret ID: %s\n", secret.ID)
            fmt.Printf("Status:    %s\n", secret.Status)
        }
        ```
      </Tab>
    </Tabs>

    ## Step-by-step

    <p>Each step below explains what the call does, which parameters matter, and what the response looks like.</p>

    <Accordion title="Show all steps">
      ### Step 1. Create a TLS certificate secret

      <p>The [create secret](/api-reference/cloud#tag/Secrets/operation/SecretsViewSetV2.post) endpoint accepts PEM-formatted certificate data directly — no PKCS12 packaging or base64 encoding required.</p>

      | Parameter                   | Required | Description                                                      |
      | --------------------------- | -------- | ---------------------------------------------------------------- |
      | `name`                      | Yes      | Display name for the secret                                      |
      | `payload.certificate`       | Yes      | SSL/TLS certificate in PEM format                                |
      | `payload.private_key`       | Yes      | Private key in PEM format                                        |
      | `payload.certificate_chain` | Yes      | Chain of intermediate and root certificates in PEM format        |
      | `expiration`                | No       | ISO 8601 datetime when the secret expires; defaults to no expiry |

      <Tabs>
        <Tab title="Python SDK">
          ```python theme={null}
          import os
          from gcore import Gcore

          client = Gcore()

          with open("certificate.pem") as f:
              certificate = f.read()
          with open("private_key.pem") as f:
              private_key = f.read()
          with open("certificate_chain.pem") as f:
              certificate_chain = f.read()

          secret = client.cloud.secrets.upload_tls_certificate_and_poll(
              name="my-tls-secret",
              payload={
                  "certificate": certificate,
                  "private_key": private_key,
                  "certificate_chain": certificate_chain,
              },
          )
          print(f"Secret ID: {secret.id}")   # save as SECRET_ID
          print(f"Status:    {secret.status}")
          ```
        </Tab>

        <Tab title="Go SDK">
          ```go theme={null}
          certificate, _ := os.ReadFile("certificate.pem")
          privateKey, _ := os.ReadFile("private_key.pem")
          certChain, _ := os.ReadFile("certificate_chain.pem")

          secret, err := client.Cloud.Secrets.UploadTlsCertificateAndPoll(ctx, cloud.SecretUploadTlsCertificateParams{
              Name: "my-tls-secret",
              Payload: cloud.SecretUploadTlsCertificateParamsPayload{
                  Certificate:      string(certificate),
                  PrivateKey:       string(privateKey),
                  CertificateChain: string(certChain),
              },
          })
          if err != nil {
              log.Fatal(err)
          }
          fmt.Printf("Secret ID: %s\n", secret.ID)   // save as SECRET_ID
          ```
        </Tab>

        <Tab title="curl">
          ```bash theme={null}
          curl -X POST "https://api.gcore.com/cloud/v2/secrets/$GCORE_CLOUD_PROJECT_ID/$GCORE_CLOUD_REGION_ID" \
            -H "Authorization: APIKey $GCORE_API_KEY" \
            -H "Content-Type: application/json" \
            -d '{
              "name": "my-tls-secret",
              "payload": {
                "certificate": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----",
                "private_key": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----",
                "certificate_chain": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----"
              }
            }'
          ```

          Response:

          ```json theme={null}
          {
            "tasks": ["b63f0fff-1234-5678-abcd-ef0123456789"]
          }
          ```

          Poll `GET https://api.gcore.com/cloud/v1/tasks/{task_id}` every 5 seconds until `state` is `FINISHED`. The created secret ID is in `created_resources.secrets[0]`.
        </Tab>
      </Tabs>

      ### Step 2. Use in an HTTPS listener

      <p>Pass `SECRET_ID` as the `secret_id` parameter when creating an HTTPS load balancer listener. The `secret_id` is returned from the create call above.</p>
    </Accordion>

    ## Additional operations

    <Accordion title="List secrets">
      <p>The [list secrets](/api-reference/cloud#tag/Secrets/operation/SecretsViewSet.get) endpoint returns all secrets in the region — useful for finding the ID of an existing secret before attaching it to a load balancer.</p>

      <Tabs>
        <Tab title="Python SDK">
          ```python theme={null}
          secrets = client.cloud.secrets.list()
          print(f"Total: {secrets.count}")
          for s in secrets.results:
              print(f"  {s.id}  {s.name}  {s.status}")
          ```
        </Tab>

        <Tab title="Go SDK">
          ```go theme={null}
          page, err := client.Cloud.Secrets.List(ctx, cloud.SecretListParams{})
          if err != nil {
              log.Fatal(err)
          }
          fmt.Printf("Total: %d\n", page.Count)
          for _, s := range page.Results {
              fmt.Printf("  %s  %s  %s\n", s.ID, s.Name, s.Status)
          }
          ```
        </Tab>

        <Tab title="curl">
          ```bash theme={null}
          curl "https://api.gcore.com/cloud/v1/secrets/$GCORE_CLOUD_PROJECT_ID/$GCORE_CLOUD_REGION_ID" \
            -H "Authorization: APIKey $GCORE_API_KEY"
          ```

          Response:

          ```json theme={null}
          {
            "count": 1,
            "results": [
              {
                "id": "8f9a1dcd-09cb-4e39-9f6a-a4613f3a63aa",
                "name": "my-tls-secret",
                "status": "ACTIVE",
                "secret_type": "certificate",
                "created": "2026-05-31T10:00:00+00:00",
                "expiration": null
              }
            ]
          }
          ```
        </Tab>
      </Tabs>
    </Accordion>

    <Accordion title="Get secret details">
      <p>The [get secret](/api-reference/cloud#tag/Secrets/operation/SecretViewSet.get) endpoint returns full metadata for a single secret by ID, including its status, type, and expiration date.</p>

      <Tabs>
        <Tab title="Python SDK">
          ```python theme={null}
          SECRET_ID = "8f9a1dcd-09cb-4e39-9f6a-a4613f3a63aa"   # from Step 1 or List secrets

          secret = client.cloud.secrets.get(SECRET_ID)
          print(f"Name:       {secret.name}")
          print(f"Status:     {secret.status}")
          print(f"Type:       {secret.secret_type}")
          print(f"Expiration: {secret.expiration}")
          ```
        </Tab>

        <Tab title="Go SDK">
          ```go theme={null}
          secretID := "8f9a1dcd-09cb-4e39-9f6a-a4613f3a63aa"   // from Step 1 or List secrets

          secret, err := client.Cloud.Secrets.Get(ctx, secretID, cloud.SecretGetParams{})
          if err != nil {
              log.Fatal(err)
          }
          fmt.Printf("Name:       %s\n", secret.Name)
          fmt.Printf("Status:     %s\n", secret.Status)
          fmt.Printf("Type:       %s\n", secret.SecretType)
          ```
        </Tab>

        <Tab title="curl">
          ```bash theme={null}
          SECRET_ID="8f9a1dcd-09cb-4e39-9f6a-a4613f3a63aa"   # from Step 1 or List secrets

          curl "https://api.gcore.com/cloud/v1/secrets/$GCORE_CLOUD_PROJECT_ID/$GCORE_CLOUD_REGION_ID/$SECRET_ID" \
            -H "Authorization: APIKey $GCORE_API_KEY"
          ```

          Response:

          ```json theme={null}
          {
            "id": "8f9a1dcd-09cb-4e39-9f6a-a4613f3a63aa",
            "name": "my-tls-secret",
            "status": "ACTIVE",
            "secret_type": "certificate",
            "created": "2026-05-31T10:00:00+00:00",
            "expiration": null,
            "content_types": {
              "default": "application/octet-stream"
            }
          }
          ```
        </Tab>
      </Tabs>
    </Accordion>

    ## Clean up

    <Tabs>
      <Tab title="Python SDK">
        ```python theme={null}
        SECRET_ID = "8f9a1dcd-09cb-4e39-9f6a-a4613f3a63aa"

        task_ids = client.cloud.secrets.delete(SECRET_ID)
        client.cloud.tasks.poll(task_ids.tasks[0])
        print("Secret deleted.")
        ```
      </Tab>

      <Tab title="Go SDK">
        ```go theme={null}
        secretID := "8f9a1dcd-09cb-4e39-9f6a-a4613f3a63aa"

        if err := client.Cloud.Secrets.DeleteAndPoll(ctx, secretID, cloud.SecretDeleteParams{}); err != nil {
            log.Fatal(err)
        }
        fmt.Println("Secret deleted.")
        ```
      </Tab>

      <Tab title="curl">
        ```bash theme={null}
        SECRET_ID="8f9a1dcd-09cb-4e39-9f6a-a4613f3a63aa"

        curl -X DELETE "https://api.gcore.com/cloud/v1/secrets/$GCORE_CLOUD_PROJECT_ID/$GCORE_CLOUD_REGION_ID/$SECRET_ID" \
          -H "Authorization: APIKey $GCORE_API_KEY"
        ```

        Response:

        ```json theme={null}
        {
          "tasks": ["b63f0fff-1234-5678-abcd-ef0123456789"]
        }
        ```

        Poll `GET https://api.gcore.com/cloud/v1/tasks/{task_id}` until `state` is `FINISHED`.
      </Tab>
    </Tabs>
  </MethodSection>

  <MethodSection id="terraform" label="Terraform">
    <p>Import a PEM certificate into Secrets Manager. The secret ID from [`gcore_cloud_secret`](https://registry.terraform.io/providers/G-Core/gcore/latest/docs/resources/cloud_secret) can then be referenced in load balancer listeners for TLS termination.</p>

    <Info>
      An API token is required, along with a project ID and region ID.
    </Info>

    ## Create a TLS certificate secret

    <p>The `gcore_cloud_secret` resource provisions a PKCS#1/PKCS#8 PEM certificate and makes its ID available as a Terraform output for referencing in other resources.</p>

    ```hcl theme={null}
    resource "gcore_cloud_secret" "tls" {
      project_id = var.project_id
      region_id  = var.region_id
      name       = "my-tls-secret"

      payload_wo_version = 1
      payload = {
        certificate_wo       = file("${path.module}/certificate.pem")
        private_key_wo       = file("${path.module}/private_key.pem")
        certificate_chain_wo = file("${path.module}/certificate_chain.pem")
      }
    }

    output "secret_id" {
      value = gcore_cloud_secret.tls.id
    }
    ```

    <p>Place `certificate.pem`, `private_key.pem`, and `certificate_chain.pem` alongside the configuration file before running `terraform apply`. The secret is available immediately — no polling needed.</p>

    ## Rotate a certificate

    <p>To replace the secret with updated certificate content, increment `payload_wo_version` — write-only fields (`certificate_wo`, `private_key_wo`, `certificate_chain_wo`) are not tracked by Terraform state and require a version bump to trigger re-creation:</p>

    ```hcl theme={null}
    resource "gcore_cloud_secret" "tls" {
      ...
      payload_wo_version = 2  # Increment to force re-creation with new PEM files
      payload = {
        certificate_wo       = file("${path.module}/certificate.pem")
        private_key_wo       = file("${path.module}/private_key.pem")
        certificate_chain_wo = file("${path.module}/certificate_chain.pem")
      }
    }
    ```

    <Warning>
      Changing `payload_wo_version` destroys the existing secret and creates a new one. If the secret is attached to a load balancer listener, update the listener to reference the new secret ID after rotation.
    </Warning>

    ## Delete a secret

    <p>Remove the resource block and run `terraform apply`. A secret attached to a load balancer listener must be detached before deletion — remove the listener first, then apply.</p>

    ## Use in an HTTPS listener

    <p>Reference the secret in a `TERMINATED_HTTPS` listener via `sni_secret_id`. The `secret_id` field accepts only `""` in the provider — all TLS certificates are passed through `sni_secret_id`:</p>

    ```hcl theme={null}
    resource "gcore_cloud_load_balancer_listener" "https" {
      project_id       = var.project_id
      region_id        = var.region_id
      load_balancer_id = var.load_balancer_id
      name             = "https-listener"
      protocol         = "TERMINATED_HTTPS"
      protocol_port    = 443
      secret_id        = ""
      sni_secret_id    = [gcore_cloud_secret.tls.id]
    }
    ```

    ## Import

    <p>To bring an existing secret under Terraform management:</p>

    ```bash theme={null}
    terraform import gcore_cloud_secret.tls '{PROJECT_ID}/{REGION_ID}/{SECRET_ID}'
    ```

    <p>After importing, run `terraform apply` to initialize the certificate payload — write-only fields must be applied explicitly after import.</p>
  </MethodSection>
</MethodSwitch>
