A Twelve factor app is expected to store configuration in the environment.

Is this intended to include SSL certificate and key files, which can be "large" (multiples of kb at least), and (depending on the format), often contain non-printable characters (newlines at minimum).

Or is the environment expected just to point to the cert/key file names? (This seems perhaps non-ideal when trying to deploy via Docker, for instance--we don't really want to store private keys in the docker image, do we? But maybe that's a separate question.)

An SSL certificate is (strictly seen) not a configuration but an asset file.

How you provide this asset depends on your way of hosting. But here are some options:

An easy way is to integrate letsencrypt and use certbot which handles the downloading of the certs securly and automatically. letsencrypt has some integrations for some languages (e.g. go has several clients that can be integrated into an app).

You could use a load balancer and terminate the ssl at the load balancer. In this case your app does not need to know anything about the cert.

Kubernetes provides secrets that can store certs safely and copy those files on deployment to a pod (simplified: A pod is a package that thinly wraps a docker container including your app).

Kubernetes can also use Ingress as a LoadBalancer which terminates the ssl.

Another option is to use hashicorp's Vault. This is a service that manages and distributes secrets.

Surely, there are more options and these are just hints. But the secure storing and distrubution of ssl certificates is no easy task. I hope I have given some good hints.

I am no expert on 12-factor app best-practices; however, from the linked article on 12-factor app config it sounds like the prescribed practice is to use environment variables to identify configurable aspects of the program.

Perhaps SSL_CERT_FILE and SSL_KEY_FILE env vars could be read as paths to the respective files so that they could easily be overridden in different environments where the files might reside at different locations.

I am personally fond of software that "just works" without the need for additional configuration so you might also consider embedding the certificate and key files in the executable itself (if that's feasible) so that the program works "out of the box" but users of the program may also specify alternate cert/key file locations if needed by the environment or specific application.

There are different kinds of configuration elements. The motivation for 12 factor apps to store configuration in environment is for a specific goal: To make it easy for it to be redeployed elsewhere in a new environment. Thus, only those configuration elements qualify to go to the environment which contribute towards this goal. Other domain or application specific configuration elements can remain bundled with the application's local or technology specific configuration method of choice.

For SSL certificates, it appears that these will not change from environment to environment, so you are not bound to keep them in the environment variables, IMO.