CLI Reference - Certificates

📘

NOTE

Looking for a specific command? Use the Table of Contents on the right. ===>

SSH certificates

get-ssh-certificate

Generates SSH certificate.

Usage
akeyless get-ssh-certificate -s <Username to sign> -c <Cert issuer name>
Mandatory Parameters

Parameter

Mandatory

Description

-s , --cert-username

**Y**

The username to sign in the SSH certificate.

-c, --cert-issuer-name

**Y**

The name of the SSH certificate issuer.

-p, --public-key-file-path

SSH public key.

-o, --outfile

Output file path with the certificate. If not provided, and public-key-file-path used, the file with the certificate will be created in the same location as the provided public key with the -cert extension.

--public-key-data

SSH public key file contents. If this option is used, the certificate will be printed to stdout.

create-ssh-cert-issuer

Creates a new SSH certificate issuer.

Usage
akeyless create-ssh-cert-issuer -n <Cert issuer name> -s <Signing Key> -a <Allowed users> -t <Cert TTL>
Mandatory Parameters

Parameter

Mandatory

Description

-n, --name

**Y**

SSH certificate issuer name.

-s, --signer-key-name

**Y**

A key to sign the certificate with.

-a, --allowed-users

**Y**

Users who are allowed to fetch the certificate, e.g root, ubuntu.

-t, --ttl

**Y**

The requested Time To Live for the certificate, in seconds.

-p, --principals

Signed certificates with principal, e.g. example_role1,example_role2.

-x, --extensions

Signed certificates with extensions, e.g permit-port-forwarding="" .

-m, --metadata

Metadata about the issuer.

delete-item

Deletes any secret, key, certificate or role. See Commands for all items and objects for details.

Usage
akeyless delete-item -n <path/to/item>
Mandatory Parameters

Parameter

Description

-n, --name

Path to the item to be deleted

Optional Parameters

Parameter

Description

--version

The specific version you want to delete - 0=last version, -1=entire item with all versions (default).

--delete-in-days

The number of days to wait before deleting the item (relevant for keys only). By default 7 days.

--delete-immediately

When delete-in-days=-1, must be set, by default set to false.

PKI certificates

get-pki-certificate

Generates PKI certificate.

Usage
akeyless get-pki-certificate -c <name of PKI issuer> -k <client Public or Private Key>
Mandatory Parameters

Parameter

Description

-c, --cert-issuer-name

The name of the PKI certificate issuer.

-k, --key-file-path

The client's public or private key file path (in the case of a private key, it will be used to extract the public key).

Optional Parameters

Parameter

Description

--common-name

The common name to be included in the PKI certificate

--alt-names

The Subject Alternative Names to be included in the PKI certificate (in a comma-delimited list).

--uri-sans

The URI Subject Alternative Names to be included in the PKI certificate (in a comma-delimited list).

-o, --outfile

Output file path with the certificate. If not provided, the file with the certificate will be created in the same location as the provided public key with the -cert extension.

create-pki-cert-issuer

Creates a new PKI certificate issuer.

Usage
akeyless create-pki-cert-issuer -n <PKI issuer name> -s <Siging Key> -t <TTL>
Mandatory Parameters

Parameter

Description

-n, --name

PKI certificate issuer name.

-s, --signer-key-name

A key to sign the certificate with.

-t, --ttl

The requested Time To Live for the certificate, in seconds.

Optional Parameters

Parameter

Description

--allowed-domains

A list of the allowed domains that clients can request to be included in the certificate (in a comma-delimited list).

--allowed-uri-sans

A list of the allowed URIs that clients can request to be included in the certificate as part of the URI Subject Alternative Names (in a comma-delimited list).

--allow-subdomains

If set, clients can request certificates for subdomains and wildcard subdomains of the allowed domains.

--not-enforce-hostnames

If set, any names are allowed for CN and SANs in the certificate and not only a valid hostname.

--allow-any-name

If set, clients can request certificates for any CN.

--not-require-cn

If set, clients can request certificates without a CN.

--server-flag

If set, certificates will be flagged for server auth use.

--client-flag

If set, certificates will be flagged for client auth use.

--code-signing-flag

If set, certificates will be flagged for code signing use.

--key-usage[=DigitalSignature,KeyAgreement,KeyEncipherment]

A comma-separated string or list of key usages.

--organization-units

A comma-separated list of organizational units (OU) that will be set in the issued certificate.

--organizations

A comma-separated list of organizations (O) that will be set in the issued certificate.

--country

A comma-separated list of the country that will be set in the issued certificate.

--locality

A comma-separated list of the locality that will be set in the issued certificate.

--province

A comma-separated list of the province that will be set in the issued certificate.

--street-address

A comma-separated list of the street address that will be set in the issued certificate.

--postal-code

A comma-separated list of the postal code that will be set in the issued certificate.

-m, --metadata

Metadata about the issuer.

get-kube-exec-creds

Get credentials for authentication with Kubernetes cluster based on a PKI Cert Issuer.

Usage
akeyless get-kube-exec-creds -c <PKI cert issuer name> -k <Public or Private Key file path>
Mandatory Parameters

Parameter

Description

-c, --cert-issuer-name

The name of the PKI certificate issuer.

-k, --key-file-path

The client's public or private key file path (in the case of a private key, it will be used to extract the public key).

Optional Parameters

Parameter

Description

--common-name

The common name to be included in the PKI certificate.

--alt-names

The Subject Alternative Names to be included in the PKI certificate (in a comma-delimited list).

--uri-sans

The URI Subject Alternative Names to be included in the PKI certificate (in a comma-delimited list).

-o, --outfile

Output file path with the certificate. If not provided, the file with the certificate will be created in the same location as the provided public key with the -cert extension.

delete-item

Deletes any secret, key, certificate or role. See Commands for all items and objects for details.

Usage
akeyless delete-item -n <path/to/item>
Mandatory Parameters

Parameter

Description

-n, --name

Path to the item to be deleted

Optional Parameters

Parameter

Description

--version

The specific version you want to delete - 0=last version, -1=entire item with all versions (default).

--delete-in-days

The number of days to wait before deleting the item (relevant for keys only). By default 7 days.

--delete-immediately

When delete-in-days=-1, must be set, by default set to false.


Did this page help you?