diff --git a/manifests/certificates.pp b/manifests/certificates.pp
index 14cd0611..60d665b3 100644
--- a/manifests/certificates.pp
+++ b/manifests/certificates.pp
@@ -30,8 +30,8 @@
 #
 # [*server_certs_key_passphrase*]
 #   (Optional) Passphrase for encrypting Amphora Certificates and Private Keys.
-#   Defaults to $::os_service_default
-#
+#   Must be exactly 32 characters.
+#   Defaults to 'insecure-key-do-not-use-this-key'
 #
 # [*ca_private_key_passphrase*]
 #   (Optional) CA password used to sign certificates
@@ -80,7 +80,7 @@ class octavia::certificates (
   $endpoint_type               = $::os_service_default,
   $ca_certificate              = $::os_service_default,
   $ca_private_key              = $::os_service_default,
-  $server_certs_key_passphrase = $::os_service_default,
+  $server_certs_key_passphrase = 'insecure-key-do-not-use-this-key',
   $ca_private_key_passphrase   = $::os_service_default,
   $client_ca                   = undef,
   $client_cert                 = $::os_service_default,
@@ -109,7 +109,13 @@ class octavia::certificates (
     'haproxy_amphora/client_cert'              : value => $client_cert;
     'haproxy_amphora/server_ca'                : value => $ca_certificate;
   }
-
+  if !$server_certs_key_passphrase  {
+    fail('server_certs_key_passphrase is required for Octavia. Please provide a 32 characters passphrase.')
+  }
+  if length($server_certs_key_passphrase)!=32 {
+      fail("The passphrase '${server_certs_key_passphrase}' is invalid for server_certs_key_passphrase. Please provide a 32 characters
+      passphrase.")
+  }
   # The file creation will create the parent directory for each file if necessary, but
   # only to one level.
   if $ca_certificate_data {
diff --git a/releasenotes/notes/fix-generated-server_certs_key_passphrase-in-spec-524a44297ec76bd0.yaml b/releasenotes/notes/fix-generated-server_certs_key_passphrase-in-spec-524a44297ec76bd0.yaml
new file mode 100644
index 00000000..d350e6df
--- /dev/null
+++ b/releasenotes/notes/fix-generated-server_certs_key_passphrase-in-spec-524a44297ec76bd0.yaml
@@ -0,0 +1,4 @@
+---
+fixes:
+  - The passphrase for config option 'server_certs_key_passphrase', is used as
+    a Fernet key in Octavia and thus must be 32 chars long.
diff --git a/spec/classes/octavia_certificates_spec.rb b/spec/classes/octavia_certificates_spec.rb
index 6961b11d..32844389 100644
--- a/spec/classes/octavia_certificates_spec.rb
+++ b/spec/classes/octavia_certificates_spec.rb
@@ -11,7 +11,6 @@ describe 'octavia::certificates' do
         is_expected.to contain_octavia_config('certificates/endpoint_type').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_octavia_config('certificates/ca_certificate').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_octavia_config('certificates/ca_private_key').with_value('<SERVICE DEFAULT>')
-        is_expected.to contain_octavia_config('certificates/server_certs_key_passphrase').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_octavia_config('certificates/ca_private_key_passphrase').with_value('<SERVICE DEFAULT>')
       end
 
@@ -30,7 +29,7 @@ describe 'octavia::certificates' do
           :endpoint_type               => 'internalURL',
           :ca_certificate              => '/etc/octavia/ca.pem',
           :ca_private_key              => '/etc/octavia/key.pem',
-          :server_certs_key_passphrase => 'secure123',
+          :server_certs_key_passphrase => 'insecure-key-do-not-use-this-key',
           :ca_private_key_passphrase   => 'secure123',
           :client_cert                 => '/etc/octavia/client.pem'
         }
@@ -43,7 +42,7 @@ describe 'octavia::certificates' do
         is_expected.to contain_octavia_config('certificates/endpoint_type').with_value('internalURL')
         is_expected.to contain_octavia_config('certificates/ca_certificate').with_value('/etc/octavia/ca.pem')
         is_expected.to contain_octavia_config('certificates/ca_private_key').with_value('/etc/octavia/key.pem')
-        is_expected.to contain_octavia_config('certificates/server_certs_key_passphrase').with_value('secure123')
+        is_expected.to contain_octavia_config('certificates/server_certs_key_passphrase').with_value('insecure-key-do-not-use-this-key')
         is_expected.to contain_octavia_config('certificates/ca_private_key_passphrase').with_value('secure123')
       end
 
@@ -58,7 +57,7 @@ describe 'octavia::certificates' do
       let :params do
         { :ca_certificate              => '/etc/octavia/ca.pem',
           :ca_private_key              => '/etc/octavia/key.pem',
-          :server_certs_key_passphrase => 'secure123',
+          :server_certs_key_passphrase => 'insecure-key-do-not-use-this-key',
           :ca_private_key_passphrase   => 'secure123',
           :client_cert                 => '/etc/octavia/client.pem',
           :ca_certificate_data         => 'on_my_authority_this_is_a_certificate',
@@ -70,7 +69,7 @@ describe 'octavia::certificates' do
       it 'configures octavia certificate manager' do
         is_expected.to contain_octavia_config('certificates/ca_certificate').with_value('/etc/octavia/ca.pem')
         is_expected.to contain_octavia_config('certificates/ca_private_key').with_value('/etc/octavia/key.pem')
-        is_expected.to contain_octavia_config('certificates/server_certs_key_passphrase').with_value('secure123')
+        is_expected.to contain_octavia_config('certificates/server_certs_key_passphrase').with_value('insecure-key-do-not-use-this-key')
         is_expected.to contain_octavia_config('certificates/ca_private_key_passphrase').with_value('secure123')
       end
 
@@ -115,7 +114,7 @@ describe 'octavia::certificates' do
       let :params do
         { :ca_certificate              => '/etc/octavia/ca.pem',
           :ca_private_key              => '/etc/octavia1/key.pem',
-          :server_certs_key_passphrase => 'secure123',
+          :server_certs_key_passphrase => 'insecure-key-do-not-use-this-key',
           :ca_private_key_passphrase   => 'secure123',
           :client_cert                 => '/etc/octavia2/client.pem',
           :ca_certificate_data         => 'on_my_authority_this_is_a_certificate',
@@ -127,7 +126,7 @@ describe 'octavia::certificates' do
       it 'configures octavia certificate manager' do
         is_expected.to contain_octavia_config('certificates/ca_certificate').with_value('/etc/octavia/ca.pem')
         is_expected.to contain_octavia_config('certificates/ca_private_key').with_value('/etc/octavia1/key.pem')
-        is_expected.to contain_octavia_config('certificates/server_certs_key_passphrase').with_value('secure123')
+        is_expected.to contain_octavia_config('certificates/server_certs_key_passphrase').with_value('insecure-key-do-not-use-this-key')
         is_expected.to contain_octavia_config('certificates/ca_private_key_passphrase').with_value('secure123')
       end
 
@@ -221,6 +220,28 @@ describe 'octavia::certificates' do
         }
       end
 
+    context 'When invalid non 32 characters server_certs_key_passphrase provided' do
+      let :params do
+        { :server_certs_key_passphrase => 'non-32-chars-key',
+        }
+      end
+
+      it 'fails without an invalid server_certs_key_passphrase' do
+        is_expected.to raise_error(Puppet::Error)
+      end
+    end
+
+    context 'When no server_certs_key_passphrase provided' do
+      let :params do
+        { :server_certs_key_passphrase => '',
+        }
+      end
+
+      it 'fails without a server_certs_key_passphrase' do
+        is_expected.to raise_error(Puppet::Error)
+      end
+    end
+
       it 'should configure certificates' do
         is_expected.to contain_octavia_config('certificates/ca_certificate').with_value('/etc/octavia/ca.pem')
         is_expected.to contain_octavia_config('controller_worker/client_ca').with_value('/etc/octavia/client_ca.pem')