How can I securely manage my TLS/SSL certificates without using a reverse proxy?

Just to clarify, are you concerned about certificates or private keys? Your client needs the certificate to authenticate to a server using self-signed SSL, but the certificate itself isn't private—it's just there to ensure you connect to the correct server. Other clients can still connect by ignoring error messages if they don't have those certificates.

I haven’t come across a scenario where a reverse proxy wasn’t an option. Could you give a specific example of what you’re dealing with?

You might want to clarify what exactly you're aiming for. Usually, exposing the certificate itself is fine since it’s shared in the handshake process, but the private keys are the sensitive part. One way to mitigate risks is to use short-lived certificates and separate keys for each service, along with regular key rotation.

Have you considered running your own Certificate Authority (CA)? You can automate the provisioning process with tools like step-ca.

I keep my certificates in a centralized storage pool rather than in the VM. I have two distinct storage pools: one for critical data and another for media. The critical pool is both locally and off-site backed up, and it holds sensitive data for Docker configurations and databases. My services that require certificates use a specific folder in the critical storage for Traefik.