CLI Reference - Certificates
SSH certificates
get-ssh-certificate
get-ssh-certificate
Gets SSH certificate.
Usage
akeyless get-ssh-certificate \
--cert-username <Username to sign> \
--cert-issuer-name <The name of the SSH certificate issuer> \
--public-key-file-path <path/to/SSH public key> \
--public-key-data <key file contents>
Parameters
| Parameter | Description |
|---|---|
-s, --cert-username | (Mandatory) The username to sign in the SSH certificate (use a comma-separated list for more than one username) |
-c, --cert-issuer-name | (Mandatory) The name of the SSH certificate issuer |
-p, --public-key-file-path | SSH public key |
-o, --outfile | Output file path with the certificate. If not provided, and public-key-file-path used, the file with the certificate will be created in the same location of the provided public key with the -cert extension |
--public-key-data | SSH public key file contents. If this option is used, the certificate will be printed to stdout |
-t, --ttl | Updated certificate lifetime in seconds (must be less than the Certificate Issuer default TTL) |
--legacy-signing-alg-name[=false] | Set this option to output legacy ('[email protected]') signing algorithm name in the certificate. |
create-ssh-cert-issuer
create-ssh-cert-issuer
Creates a new SSH certificate issuer.
Usage
akeyless create-ssh-cert-issuer \
--name <SSH certificate issuer name> \
--signer-key-name <A key to sign the certificate with> \
--allowed-users <Users allowed to fetch the certificate> \
--ttl <Time To Live for the certificate>
Parameters
| Parameter | Description |
|---|---|
-n, --name | (Mandatory) SSH certificate issuer name |
-s, --signer-key-name | (Mandatory) A key to sign the certificate with |
-a, --allowed-users | (Mandatory) Users allowed to fetch the certificate, e.g root, ubuntu |
-t, --ttl | (Mandatory) The requested Time To Live for the certificate, in seconds |
-p, --principals | Signed certificates with principal, e.g example_role1,example_role2 |
-x, --extensions | Signed certificates with extensions, e.g permit-port-forwarding="" |
-m, --metadata | A metadata about the issuer |
--secure-access-enable | Enable/Disable secure remote access, [true/false] |
--secure-access-bastion-api | Bastion's SSH control API endpoint. E.g. https://my.bastion:9900 |
--secure-access-bastion-ssh | Bastion's SSH server. E.g. my.bastion:22 |
--secure-access-ssh-creds-user | SSH username to connect to target server, must be in 'Allowed Users' list |
--secure-access-host | Target servers for connections., For multiple values repeat this flag. |
--secure-access-use-internal-bastion | Use internal SSH Bastion - Relevant only for Secure Remote Access Deployment, mostly when using Dockers. Set the relevant IP address of the SSH Bastion for internal communication between ZT and SSH bastions. |
--delete-protection | Protection from accidental deletion of this item, [true/false] |
update-ssh-cert-issuer
update-ssh-cert-issuer
Updates a new SSH certificate issuer
Usage
akeyless update-ssh-cert-issuer \
--name <SSH cert issuer name> \
--signer-key-name <A key to sign the certificate with> \
--allowed-users <Users allowed to fetch the certificate> \
--ttl <Time To Live for the certificate>
Parameters
| Parameter | Description |
|---|---|
-n, --name | (Mandatory) SSH certificate issuer name |
--new-name | New item name |
-s, --signer-key-name | (Mandatory) A key to sign the certificate with |
-a, --allowed-users | (Mandatory) Users allowed to fetch the certificate, e.g root, ubuntu |
-t, --ttl | (Mandatory) The requested Time To Live for the certificate, in seconds |
-p, --principals | Signed certificates with principal, e.g example_role1,example_role2 |
-x, --extensions | Signed certificates with extensions, e.g permit-port-forwarding="" |
-m, --metadata | A metadata about the issuer |
--add-tag | List of the new tags that will be attached to this item. To specify multiple tags use argument multiple times: --add-tag Tag1 --add-tag Tag2 |
--rm-tag | List of the existent tags that will be removed from this item. To specify multiple tags use argument multiple times: --rm-tag Tag1 --rm-tag Tag2 |
--secure-access-enable | Enable/Disable secure remote access, [true/false] |
--secure-access-bastion-api | Bastion's SSH control API endpoint. E.g. https://my.bastion:9900 |
--secure-access-bastion-ssh | Bastion's SSH server. E.g. my.bastion:22 |
--secure-access-ssh-creds-user | SSH username to connect to target server, must be in 'Allowed Users' list |
--secure-access-host | Target servers for connections., For multiple values repeat this flag |
--secure-access-use-internal-bastion | Use internal SSH Bastion |
PKI certificates
get-pki-certificate
get-pki-certificate
Gets Public key infrastructure (PKI) certificate
Usage
akeyless get-pki-certificate \
--cert-issuer-name <PKI issuer name> \
--key-file-path <client Key> \
--ttl <certificate lifetime>
Parameters
| Parameter | Description |
|---|---|
-c, --cert-issuer-name | (Mandatory) The name of the PKI certificate issuer. |
-k, --key-file-path | The client public or private key file path (in case of a private key, it will be use to extract the public key) |
--key-data-base64 | pki key file contents encoded using Base64. If this option is used, the certificate will be printed to stdout |
--csr-file-path | Path to Certificate Signing Request file to generate the certificate with |
--csr-data-base64 | Certificate Signing Request contents encoded in base64 to generate the certificate with (if csr-file-path is provided this flag is ignored) |
--common-name | The common name to be included in the PKI certificate |
--alt-names | The Subject Alternative Names to be included in the PKI certificate (in a comma-delimited list) |
--uri-sans | The URI Subject Alternative Names to be included in the PKI certificate (in a comma-delimited list) |
-t, --ttl | Updated certificate lifetime in seconds (must be less than the Certificate Issuer default TTL) |
-e, --extended-key-usage | A comma-separated list of extended key usage requests which will be used for certificate issuance. Supported values: 'clientauth', 'serverauth'. |
-o, --outfile | Output file path with the certificate. If not provided, the file with the certificate will be created in the same location of the provided public key with the -cert extension |
create-pki-cert-issuer
create-pki-cert-issuer
Creates a new PKI certificate issuer
Usage
akeyless create-pki-cert-issuer \
--name <PKI issuer name> \
--ttl <The maximum requested Time To Live for issued certificates, in seconds> \
--signer-key-name <A key to sign the certificate with>
Parameters
| Parameter | Description |
|---|---|
-n, --name | (Mandatory) PKI certificate issuer name |
-s, --signer-key-name | A key to sign the certificate with |
-t, --ttl | (Mandatory) The maximum requested Time To Live for issued certificates, in seconds. In case of Public CA, this is based on the CA target's supported maximum TTLs |
--ca-target | The name of an existing CA target to attach this PKI Certificate Issuer to, required in Public CA mode |
--gw-cluster-url | The GW cluster URL to issue the certificate from, required in Public CA mode |
--allowed-domains | A list of the allowed domains that clients can request to be included in the certificate (in a comma-delimited list) |
--destination-path | A path in Akeyless which to save generated certificates |
--allowed-uri-sans | A list of the allowed URIs that clients can request to be included in the certificate as part of the URI Subject Alternative Names (in a comma-delimited list) |
--allow-subdomains | If set, clients can request certificates for subdomains and wildcard subdomains of the allowed domains |
--not-enforce-hostnames | If set, any names are allowed for CN and SANs in the certificate and not only a valid host name |
--allow-any-name | If set, clients can request certificates for any CN |
--not-require-cn | If set, clients can request certificates without a CN. |
--server-flag | If set, certificates will be flagged for server auth use |
--client-flag | If set, certificates will be flagged for client auth use. |
--code-signing-flag | If set, certificates will be flagged for code signing use. |
--key-usage[=DigitalSignature,KeyAgreement,KeyEncipherment] | A comma-separated string or list of key usages |
-e, --expiration-event-in | How many days before the expiration of the certificate would you like to be notified. To specify multiple events, use argument multiple times: --expiration-event-in 1 --expiration-event-in 5 |
--organization-units | A comma-separated list of organizational units (OU) that will be set in the issued certificate. |
--organizations | A comma-separated list of organizations (O) that will be set in the issued certificate. |
--country | A comma-separated list of the country that will be set in the issued certificate. |
--locality | A comma-separated list of the locality that will be set in the issued certificate. |
--province | A comma-separated list of the province that will be set in the issued certificate. |
--street-address | A comma-separated list of the street address that will be set in the issued certificate. |
--postal-code | A comma-separated list of the postal code that will be set in the issued certificate. |
--protect-certificates | Whether to protect generated certificates from deletion |
--is-ca | If set, the basic constraints extension will be added to certificate |
-m, --metadata | A metadata about the issuer |
--tag | List of the tags attached to this key. To specify multiple tags use argument multiple times: --tag Tag1 --tag Tag2 |
--delete-protection | Protection from accidental deletion of this item, [true/false] |
update-pki-cert-issuer
update-pki-cert-issuer
Updates a new PKI certificate issuer
Usage
akeyless update-pki-cert-issuer \
--name <PKI issuer name> \
--ttl <The maximum requested Time To Live for issued certificates, in seconds> \
--new-name <New item name>
--signer-key-name <A key to sign the certificate with>
Parameters
| Parameter | Description |
|---|---|
-n, --name | (Mandatory) PKI certificate issuer name |
--new-name | New item name |
-s, --signer-key-name | A key to sign the certificate with |
-t, --ttl | (Mandatory) The maximum requested Time To Live for issued certificates, in seconds. In case of Public CA, this is based on the CA target's supported maximum TTLs |
--gw-cluster-url | The GW cluster URL to issue the certificate from, required in Public CA mode |
--allowed-uri-sans | A list of the allowed URIs that clients can request to be included in the certificate as part of the URI Subject Alternative Names (in a comma-delimited list) |
--allow-subdomains | If set, clients can request certificates for subdomains and wildcard subdomains of the allowed domains |
--not-enforce-hostnames | If set, any names are allowed for CN and SANs in the certificate and not only a valid host name |
--allow-any-name | If set, clients can request certificates for any CN |
--not-require-cn | If set, clients can request certificates without a CN |
--server-flag | If set, certificates will be flagged for server auth use |
--client-flag | If set, certificates will be flagged for client auth use |
--code-signing-flag | If set, certificates will be flagged for code signing use |
--key-usage[=DigitalSignature, KeyAgreement, KeyEncipherment] | A comma-separated string or list of key usages |
--organization-units | A comma-separated list of organizational units (OU) that will be set in the issued certificate |
--organizations | A comma-separated list of organizations (O) that will be set in the issued certificate |
--country | A comma-separated list of the country that will be set in the issued certificate |
--locality | A comma-separated list of the locality that will be set in the issued certificate |
--province | A comma-separated list of the province that will be set in the issued certificate |
--street-address | A comma-separated list of the street address that will be set in the issued certificate |
--postal-code | A comma-separated list of the postal code that will be set in the issued certificate |
--destination-path | A path in Akeyless which to save generated certificates |
--protect-certificates | Whether to protect generated certificates from deletion |
--is-ca | If set, the basic constraints extension will be added to certificate |
-m, --metadata | A metadata about the issuer |
--add-tag | List of the new tags that will be attached to this item. To specify multiple tags use argument multiple times: --add-tag Tag1 --add-tag Tag2 |
--rm-tag | List of the existent tags that will be removed from this item. To specify multiple tags use argument multiple times: --rm-tag Tag1 --rm-tag Tag2 |
generate-csr
generate-csr
Generates a new Certificate Signing Request (CSR)
Usage
akeyless generate-csr \
--name <path/to/Classic-Key> \
--common-name <Common name>
--generate-key
--alg <RSA1024>
Parameters
| Parameter | Description |
|---|---|
-n, --name | (Mandatory*) Full path to the Classic Key that will sign the CSR |
-g, --generate-key | Use this flag to generate a new classic key to sign the CSR - A name must be specified for the new key |
-a, --alg | Algorithm to use for generating the new key (RSA1024, RSA2048, RSA3072, RSA4096, EC256, EC384) |
-c, --common-name | (Mandatory) common name to be included in the CSR certificate |
--certificate-type | certificate type to be included in the CSR certificate (ssl-client/ssl-server/certificate-signing) |
--critical | add critical to the key usage extension (will be false if not added) |
--org | organization to be included in the CSR |
--dep | department to be included in the CSR |
--city | city to be included in the CSR |
--state | state to be included in the CSR |
--country | country to be included in the CSR |
--alt-names | a comma-separated list of dns alternative names |
--email-addresses | a comma-separated list of email addresses alternative names |
--ip-addresses | a comma-separated list of ip addresses alternative names |
--uri-sans | a comma-separated list of uri alternative names |
-u, --gateway-url[=http://localhost:8000] | API Gateway URL http://Your-Akeyless-Gateway-URL:8000 |
--description | Description of the object |
get-kube-exec-creds
get-kube-exec-creds
Gets credentials for authentication with Kubernetes cluster based on a PKI Cert Issuer
Usage
akeyless get-kube-exec-creds \
--cert-issuer-name <PKI cert issuer name> \
--key-file-path <The client public or private key file path> \
--alt-names <The Subject Alternative Names to be included in the PKI certificate> \
--ttl <Updated certificate lifetime in seconds>
Parameters
| Parameter | Description |
|---|---|
-c, --cert-issuer-name | (Mandatory) The name of the PKI certificate issuer. |
-k, --key-file-path | The client public or private key file path (in case of a private key, it will be use to extract the public key) |
--key-data-base64 | pki key file contents encoded using Base64. If this option is used, the certificate will be printed to stdout |
--csr-file-path | Path to Certificate Signing Request file to generate the certificate with |
--csr-data-base64 | Certificate Signing Request contents encoded in base64 to generate the certificate with (if csr-file-path is provided this flag is ignored) |
--common-name | The common name to be included in the PKI certificate. |
--alt-names | The Subject Alternative Names to be included in the PKI certificate (in a comma-delimited list). |
--uri-sans | The URI Subject Alternative Names to be included in the PKI certificate (in a comma-delimited list). |
-t, --ttl | Updated certificate lifetime in seconds (must be less than the Certificate Issuer default TTL) |
-e, --extended-key-usage | A comma-separated list of extended key usage requests which will be used for certificate issuance. Supported values: 'clientauth', 'serverauth'. |
-o, --outfile | Output file path with the certificate. If not provided, the file with the certificate will be created in the same location of the provided public key with the -cert extension |
-a, --api-version[=v1] | The version of the client authentication API |
Certificate Storage
create-certificate
create-certificate
Creates a new certificate to store.
Usage
akeyless create-certificate \
--name <certificate-name> \
--certificate <path-to-certificate-PEM/CER/CRT/PFX/P12>
Parameters
| Parameter | Description |
|---|---|
-n, --name | (Mandatory) Unique Certificate name (mandatory) |
-c, --certificate | (Mandatory) Path to a file that contain the certificate. Supported formats are: pem,cer,crt,pfx,p12. |
--certificate-data | Content of the certificate PEM/CER/CRT/PFX/P12 in a Base64 format. It is mandatory to add this parameter OR the --certificate parameter |
--format[=pem] | Certificate Format of the certificate and private key, possible values: cer,crt,pem,pfx,p12 |
--passphrase | Passphrase to decrypt pkcs12/pks certificate data |
-p, --private-key | Path to the file with the certificate's private key. Certificate Format should be the same as provided for the certificate |
--key-data | Content of the certificate's private key PEM in a Base64 format. If this parameter is defined --private-key is disabled. |
-e, --expiration-event-in | How many days before the expiration of the certificate would you like to be notified. To specify multiple events, use argument multiple times: --expiration-event-in 1 --expiration-event-in 5 |
-k, --key | The name of a key to use to encrypt the certificate's key' (if empty, the account default protectionKey key will be used) |
-m, --metadata | Metadata about the certificate |
-t, --tag | List of the tags attached to this certificate. To specify multiple tags use argument multiple times: --tag Tag1 -t Tag2 |
--delete-protection | Protection from accidental deletion of this item, [true/false] |
get-certificate-value
get-certificate-value
Gets the certificate's PEM, and the private key's PEM if it exists, in a JSON file.
Usage
akeyless get-certificate-value --name <certificate-name>
Parameters
| Parameter | Description |
|---|---|
-n, --name | (Mandatory) Certificate name |
-d, --display-id | Certificate display ID |
--version | Certificate version |
-c, --cert-issuer-name | The parent PKI Certificate Issuer's name of the certificate, required when used with display-id and token |
--certificate-file-output | File to write the certificates to |
--private-key-file-output | File to write the private key to |
--issuance-token | Token for getting the issued certificate |
update-certificate-value
update-certificate-value
Updates the data in an existing certificate.
Usage
akeyless update-certificate-value \
--name <certificate-name> \
--certificate <path-to-certificate-PEM/CER/CRT/PFX/P12>
Parameters
| Parameter | Description |
|---|---|
-n, --name | (Mandatory) Certificate name |
-c, --certificate | Path to a file that contain the certificate. Supported formats are: pem,cer,crt,pfx,p12 |
--certificate-data | Content of the certificate PEM in a Base64 format. It is mandatory to add this parameter OR the --certificate parameter |
--format[=pem] | Certificate Format of the certificate and private key, possible values: cer,crt,pem,pfx,p12 |
--passphrase | Passphrase to decrypt pkcs12/pks certificate data |
-p, --private-key | Path to the file with the certificate's private key. Certificate Format should be the same as provided for the certificate |
--key-data | Content of the certificate's private key PEM in a Base64 format. If this parameter is defined --private-key is disabled. |
-e, --expiration-event-in | How many days before the expiration of the certificate would you like to be notified. To specify multiple events, use argument multiple times: --expiration-event-in 1 --expiration-event-in 5 |
-k, --key | The name of a key to use to encrypt the certificate's key' (if empty, the account default protectionKey key will be used) |
-m, --metadata | Metadata about the certificate |
-t, --tag | List of the tags attached to this certificate. To specify multiple tags use argument multiple times: --tag Tag1 -t Tag2 |
--delete-protection | Protection from accidental deletion of this item, [true/false] |
Updated 16 days ago