diff --git a/deckhand/barbican/driver.py b/deckhand/barbican/driver.py
index edef7eab..2042db92 100644
--- a/deckhand/barbican/driver.py
+++ b/deckhand/barbican/driver.py
@@ -32,7 +32,7 @@ class BarbicanDriver(object):
         secret = self.barbicanclient.call("secrets.create", **kwargs)
 
         try:
-            secret.store()
+            secret_ref = secret.store()
         except (barbicanclient.exceptions.HTTPAuthError,
                 barbicanclient.exceptions.HTTPClientError,
                 barbicanclient.exceptions.HTTPServerError) as e:
@@ -43,6 +43,7 @@ class BarbicanDriver(object):
         # NOTE(fmontei): The dictionary representation of the Secret object by
         # default has keys that are not snake case -- so make them snake case.
         resp = secret.to_dict()
-        for key in resp.keys():
+        for key in resp:
             resp[utils.to_snake_case(key)] = resp.pop(key)
+        resp['secret_ref'] = secret_ref
         return resp
diff --git a/deckhand/engine/secrets_manager.py b/deckhand/engine/secrets_manager.py
index 2cf03c2c..18c800af 100644
--- a/deckhand/engine/secrets_manager.py
+++ b/deckhand/engine/secrets_manager.py
@@ -73,7 +73,7 @@ class SecretsManager(object):
             }
             resp = self.barbican_driver.create_secret(**kwargs)
 
-            secret_ref = resp['secret_href']
+            secret_ref = resp['secret_ref']
             created_secret = secret_ref
         elif encryption_type == CLEARTEXT:
             created_secret = secret_doc['data']
@@ -93,6 +93,12 @@ class SecretsManager(object):
         _schema = schema.split('/')[1].lower().strip()
         if _schema == 'certificatekey':
             return 'private'
+        elif _schema == 'certificateauthority':
+            return 'certificate'
+        elif _schema == 'certificateauthoritykey':
+            return 'private'
+        elif _schema == 'publickey':
+            return 'public'
         return _schema
 
 
diff --git a/deckhand/tests/unit/engine/test_secrets_manager.py b/deckhand/tests/unit/engine/test_secrets_manager.py
index fa95681a..528518a4 100644
--- a/deckhand/tests/unit/engine/test_secrets_manager.py
+++ b/deckhand/tests/unit/engine/test_secrets_manager.py
@@ -30,7 +30,7 @@ class TestSecretsManager(test_base.TestDbBase):
             secrets_manager.SecretsManager, 'barbican_driver')
         self.secret_ref = 'https://path/to/fake_secret'
         self.mock_barbican_driver.create_secret.return_value = (
-            {'secret_href': self.secret_ref})
+            {'secret_ref': self.secret_ref})
 
         self.secrets_manager = secrets_manager.SecretsManager()
         self.factory = factories.DocumentSecretFactory()
diff --git a/requirements.txt b/requirements.txt
index 6ae2c036..ad9ab2cd 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -35,4 +35,8 @@ oslo.policy>=1.23.0 # Apache-2.0
 oslo.serialization!=2.19.1,>=1.10.0 # Apache-2.0
 oslo.utils>=3.20.0 # Apache-2.0
 
+# TODO(alanmeadows)
+# this must match the container service
+# likely this should be imported from a
+# container sidecar long-term
 python-barbicanclient>=4.0.0  # Apache-2.0