CLI Reference - Certificates
SSH certificates
get-ssh-certificate
get-ssh-certificate
Generates SSH certificate.
Please note: mandatory values for this command: -s , --cert-username , -c, --cert-issuer-name
Usage
akeyless get-ssh-certificate --cert-username <Username to sign> \
--cert-issuer-name <he name of the SSH certificate issuer> \
--public-key-file-path <path/to/SSH public key> \
--public-key-data <key file contents>
Parameters
| Parameter | Description |
|---|---|
-s, --cert-username | (Mandatory) The username to sign in the SSH certificate (use a comma-separated list for more than one username) |
-c, --cert-issuer-name | (Mandatory) The name of the SSH certificate issuer |
-p, --public-key-file-path | SSH public key |
-o, --outfile | Output file path with the certificate. If not provided, and public-key-file-path used, the file with the certificate will be created in the same location of the provided public key with the -cert extension |
--public-key-data | SSH public key file contents. If this option is used, the certificate will be printed to stdout |
-t, --ttl | Updated certificate lifetime in seconds (must be less than the Certificate Issuer default TTL) |
--legacy-signing-alg-name[=false] | Set this option to output legacy ('[email protected]') signing algorithm name in the certificate. |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
create-ssh-cert-issuer
create-ssh-cert-issuer
Creates a new SSH certificate issuer.
Please note: mandatory values for this command: -n, --name, -s, --signer-key-name , -a, --allowed-users, -t, --ttl
Usage
akeyless create-ssh-cert-issuer --name <SSH certificate issuer name> \
--signer-key-name <A key to sign the certificate with> \
--allowed-users <Users allowed to fetch the certificate, e.g root, ubuntu> \
--ttl <The requested Time To Live for the certificate, in seconds>
Parameters
| Parameter | Description |
|---|---|
-n, --name | (Mandatory) SSH certificate issuer name |
-s, --signer-key-name | (Mandatory) A key to sign the certificate with |
-a, --allowed-users | (Mandatory) Users allowed to fetch the certificate, e.g root, ubuntu |
-t, --ttl | (Mandatory) The requested Time To Live for the certificate, in seconds |
-p, --principals | Signed certificates with principal, e.g example_role1,example_role2 |
-x, --extensions | Signed certificates with extensions, e.g permit-port-forwarding="" |
-m, --metadata | A metadata about the issuer |
--secure-access-enable | Enable/Disable secure remote access, [true/false] |
--secure-access-bastion-api | Bastion's SSH control API endpoint. E.g. https://my.bastion:9900 |
--secure-access-bastion-ssh | Bastion's SSH server. E.g. my.bastion:22 |
--secure-access-ssh-creds-user | SSH username to connect to target server, must be in 'Allowed Users' list |
--secure-access-host | Target servers for connections., For multiple values repeat this flag. |
--secure-access-use-internal-bastion | Use internal SSH Bastion - Relevant only for Secure Remote Access Deployment, mostly when using Dockers. Set the relevant IP address of the SSH Bastion for internal communication between ZT and SSH bastions. |
--delete-protection | Protection from accidental deletion of this item, [true/false] |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
update-ssh-cert-issuer
update-ssh-cert-issuer
Updates a new SSH certificate issuer
Please note: mandatory values for this command: -n, --name, -s, --signer-key-name, -a, --allowed-users, -t, --ttl
Usage
akeyless update-ssh-cert-issuer --name <SSH cert issuer name> \
--signer-key-name <A key to sign the certificate with> \
--allowed-users <Users allowed to fetch the certificate, e.g root,ubuntu>\
--ttl <The requested Time To Live for the certificate, in seconds>
Parameters
| Parameter | Description |
|---|---|
-n, --name | (Mandatory) SSH certificate issuer name |
--new-name | New item name |
-s, --signer-key-name | (Mandatory) A key to sign the certificate with |
-a, --allowed-users | (Mandatory) Users allowed to fetch the certificate, e.g root,ubuntu |
-t, --ttl | (Mandatory) The requested Time To Live for the certificate, in seconds |
-p, --principals | Signed certificates with principal, e.g example_role1,example_role2 |
-x, --extensions | Signed certificates with extensions, e.g permit-port-forwarding="" |
-m, --metadata | A metadata about the issuer |
--add-tag | List of the new tags that will be attached to this item. To specify multiple tags use argument multiple times: --add-tag Tag1 --add-tag Tag2 |
--rm-tag | List of the existent tags that will be removed from this item. To specify multiple tags use argument multiple times: --rm-tag Tag1 --rm-tag Tag2 |
--secure-access-enable | Enable/Disable secure remote access, [true/false] |
--secure-access-bastion-api | Bastion's SSH control API endpoint. E.g. https://my.bastion:9900 |
--secure-access-bastion-ssh | Bastion's SSH server. E.g. my.bastion:22 |
--secure-access-ssh-creds-user | SSH username to connect to target server, must be in 'Allowed Users' list |
--secure-access-host | Target servers for connections., For multiple values repeat this flag |
--secure-access-use-internal-bastion | Use internal SSH Bastion |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
PKI certificates
get-pki-certificate
get-pki-certificate
Generates PKI certificate
Please note: mandatory values for this command: -c, --cert-issuer-name
Usage
akeyless get-pki-certificate --cert-issuer-name <name of PKI issuer> \
--key-file-path <client Public or Private Key> \
--ttl <Updated certificate lifetime in seconds>
--alt-names <The Subject Alternative Names to be included in the PKI certificate>
Parameters
| Parameter | Description |
|---|---|
-c, --cert-issuer-name | (Mandatory) The name of the PKI certificate issuer. |
-k, --key-file-path | The client public or private key file path (in case of a private key, it will be use to extract the public key) |
--key-data-base64 | pki key file contents encoded using Base64. If this option is used, the certificate will be printed to stdout |
--csr-file-path | Path to Certificate Signing Request file to generate the certificate with |
--csr-data-base64 | Certificate Signing Request contents encoded in base64 to generate the certificate with (if csr-file-path is provided this flag is ignored) |
--common-name | The common name to be included in the PKI certificate |
--alt-names | The Subject Alternative Names to be included in the PKI certificate (in a comma-delimited list) |
--uri-sans | The URI Subject Alternative Names to be included in the PKI certificate (in a comma-delimited list) |
-t, --ttl | Updated certificate lifetime in seconds (must be less than the Certificate Issuer default TTL) |
-e, --extended-key-usage | A comma-separated list of extended key usage requests which will be used for certificate issuance. Supported values: 'clientauth', 'serverauth'. |
-o, --outfile | Output file path with the certificate. If not provided, the file with the certificate will be created in the same location of the provided public key with the -cert extension |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
create-pki-cert-issuer
create-pki-cert-issuer
Creates a new PKI certificate issuer.
Please note: mandatory values for this command: -n, --name, -s, --signer-key-name, -t, --ttl
Usage
akeyless create-pki-cert-issuer --name <PKI issuer name> \
--signer-key-name <A key to sign the certificate with> \
--ttl <The requested Time To Live for the certificate, in seconds> \
--allowed-domains <Allowed domains that clients can request to be included in the certificate> \
--allow-any-name <If set, clients can request certificates for any CN>
Parameters
| Parameter | Description |
|---|---|
-n, --name | (Mandatory) PKI certificate issuer name |
-s, --signer-key-name | (Mandatory) A key to sign the certificate with |
-t, --ttl | (Mandatory) The requested Time To Live for the certificate, in seconds |
--ca-target | The name of an existing CA target to attach this PKI Certificate Issuer to, required in Public CA mode |
--gw-cluster-url | The GW cluster URL to issue the certificate from, required in Public CA mode |
--allowed-domains | A list of the allowed domains that clients can request to be included in the certificate (in a comma-delimited list) |
--destination-path | A path in Akeyless which to save generated certificates |
--allowed-uri-sans | A list of the allowed URIs that clients can request to be included in the certificate as part of the URI Subject Alternative Names (in a comma-delimited list) |
--allow-subdomains | If set, clients can request certificates for subdomains and wildcard subdomains of the allowed domains |
--not-enforce-hostnames | If set, any names are allowed for CN and SANs in the certificate and not only a valid host name |
--allow-any-name | If set, clients can request certificates for any CN |
--not-require-cn | If set, clients can request certificates without a CN. |
--server-flag | If set, certificates will be flagged for server auth use |
--client-flag | If set, certificates will be flagged for client auth use. |
--code-signing-flag | If set, certificates will be flagged for code signing use. |
--key-usage[=DigitalSignature,KeyAgreement,KeyEncipherment] | A comma-separated string or list of key usages |
-e, --expiration-event-in | How many days before the expiration of the certificate would you like to be notified. To specify multiple events, use argument multiple times: --expiration-event-in 1 --expiration-event-in 5 |
--organization-units | A comma-separated list of organizational units (OU) that will be set in the issued certificate. |
--organizations | A comma-separated list of organizations (O) that will be set in the issued certificate. |
--country | A comma-separated list of the country that will be set in the issued certificate. |
--locality | A comma-separated list of the locality that will be set in the issued certificate. |
--province | A comma-separated list of the province that will be set in the issued certificate. |
--street-address | A comma-separated list of the street address that will be set in the issued certificate. |
--postal-code | A comma-separated list of the postal code that will be set in the issued certificate. |
-m, --metadata | A metadata about the issuer |
--tag | List of the tags attached to this key. To specify multiple tags use argument multiple times: --tag Tag1 --tag Tag2 |
--delete-protection | Protection from accidental deletion of this item, [true/false] |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
update-pki-cert-issuer
update-pki-cert-issuer
Updates a new PKI certificate issuer
Please note: mandatory values for this command: -n, --name, -s, --signer-key-name, -t, --ttl
Usage
akeyless update-pki-cert-issuer --name <PKI certificate issuer name> \
--new-name <New item name>
--signer-key-name <A key to sign the certificate with> \
--ttl <The requested Time To Live for the certificate, in seconds> \
--allowed-domains <Allowed domains that clients can request to be included in the certificate>
Parameters
| Parameter | Description |
|---|---|
-n, --name | (Mandatory) PKI certificate issuer name |
--new-name | New item name |
-s, --signer-key-name | (Mandatory) A key to sign the certificate with |
-t, --ttl | (Mandatory) The requested Time To Live for the certificate, in seconds |
--gw-cluster-url | The GW cluster URL to issue the certificate from, required in Public CA mode |
--allowed-uri-sans | A list of the allowed URIs that clients can request to be included in the certificate as part of the URI Subject Alternative Names (in a comma-delimited list) |
--allow-subdomains | If set, clients can request certificates for subdomains and wildcard subdomains of the allowed domains |
--not-enforce-hostnames | If set, any names are allowed for CN and SANs in the certificate and not only a valid host name |
--allow-any-name | If set, clients can request certificates for any CN |
--not-require-cn | If set, clients can request certificates without a CN |
--server-flag | If set, certificates will be flagged for server auth use |
--client-flag | If set, certificates will be flagged for client auth use |
--code-signing-flag | If set, certificates will be flagged for code signing use |
--key-usage[=DigitalSignature, KeyAgreement, KeyEncipherment] | A comma-separated string or list of key usages |
--organization-units | A comma-separated list of organizational units (OU) that will be set in the issued certificate |
--organizations | A comma-separated list of organizations (O) that will be set in the issued certificate |
--country | A comma-separated list of the country that will be set in the issued certificate |
--locality | A comma-separated list of the locality that will be set in the issued certificate |
--province | A comma-separated list of the province that will be set in the issued certificate |
--street-address | A comma-separated list of the street address that will be set in the issued certificate |
--postal-code | A comma-separated list of the postal code that will be set in the issued certificate |
-m, --metadata | A metadata about the issuer |
--add-tag | List of the new tags that will be attached to this item. To specify multiple tags use argument multiple times: --add-tag Tag1 --add-tag Tag2 |
--rm-tag | List of the existent tags that will be removed from this item. To specify multiple tags use argument multiple times: --rm-tag Tag1 --rm-tag Tag2 |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
get-kube-exec-creds
get-kube-exec-creds
Get credentials for authentication with Kubernetes cluster based on a PKI Cert Issuer
Please note: mandatory values for this command: -c, --cert-issuer-name
Usage
akeyless get-kube-exec-creds --cert-issuer-name <PKI cert issuer name> \
--key-file-path <The client public or private key file path> \
--alt-names <The Subject Alternative Names to be included in the PKI certificate> \
--ttl <Updated certificate lifetime in seconds>
Parameters
| Parameter | Description |
|---|---|
-c, --cert-issuer-name | (Mandatory) The name of the PKI certificate issuer. |
-k, --key-file-path | The client public or private key file path (in case of a private key, it will be use to extract the public key) |
--key-data-base64 | pki key file contents encoded using Base64. If this option is used, the certificate will be printed to stdout |
--common-name | The common name to be included in the PKI certificate. |
--alt-names | The Subject Alternative Names to be included in the PKI certificate (in a comma-delimited list). |
--uri-sans | The URI Subject Alternative Names to be included in the PKI certificate (in a comma-delimited list). |
-t, --ttl | Updated certificate lifetime in seconds (must be less than the Certificate Issuer default TTL) |
-e, --extended-key-usage | A comma-separated list of extended key usage requests which will be used for certificate issuance. Supported values: 'clientauth', 'serverauth'. |
-o, --outfile | Output file path with the certificate. If not provided, the file with the certificate will be created in the same location of the provided public key with the -cert extension |
-a, --api-version[=v1] | The version of the client authentication API |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
Certificate Storage
create-certificate
create-certificate
Creates a new certificate to store.
Usage
akeyless create-certificate -n <certificate-name> -c <path-to-certificate-PEM/CER/CRT/PFX/P12>
Parameters
| Parameter | Description |
|---|---|
-n, --name | Unique Certificate name (mandatory) |
-c, --certificate | Path to a file that contain the certificate. Supported formats are: pem,cer,crt,pfx,p12. |
--certificate-data | Content of the certificate PEM/CER/CRT/PFX/P12 in a Base64 format. It is mandatory to add this parameter OR the --certificate parameter |
--format[=pem] | Certificate Format of the certificate and private key, possible values: cer,crt,pem,pfx,p12 |
--passphrase | Passphrase to decrypt pkcs12/pks certificate data |
-p, --private-key | Path to the file with the certificate's private key. Certificate Format should be the same as provided for the certificate |
--key-data | Content of the certificate's private key PEM in a Base64 format. If this parameter is defined --private-key is disabled. |
-e, --expiration-event-in | How many days before the expiration of the certificate would you like to be notified. To specify multiple events, use argument multiple times: --expiration-event-in 1 --expiration-event-in 5 |
-k, --key | The name of a key to use to encrypt the certificate's key' (if empty, the account default protectionKey key will be used) |
-m, --metadata | Metadata about the certificate |
-t, --tag | List of the tags attached to this certificate. To specify multiple tags use argument multiple times: --tag Tag1 -t Tag2 |
--delete-protection | Protection from accidental deletion of this item, [true/false] |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
-h, --help | display help information |
--json[=false] | Set output format to JSON |
--no-creds-cleanup[=false] | Do not clean local temporary expired creds |
get-certificate-value
get-certificate-value
This command will return the certificate's PEM, and the private key's PEM if it exists, in a JSON file.
Usage
akeyless get-certificate-value -n <certificate-name>
Parameters
-n, --name | Certificate name (Mandatory) |
-d, --display-id | Certificate display ID |
--version | Certificate version |
-c, --cert-issuer-name | The parent PKI Certificate Issuer's name of the certificate, required when used with display-id and token |
--certificate-file-output | File to write the certificates to |
--private-key-file-output | File to write the private key to |
--issuance-token | Token for getting the issued certificate |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
-h, --help | display help information |
--json[=false] | Set output format to JSON |
--no-creds-cleanup[=false] | Do not clean local temporary expired creds |
update-certificate-value
update-certificate-value
This command will update the data in an existing certificate.
Usage
akeyless update-certificate-value -n <certificate-name> -c <path-to-certificate-PEM/CER/CRT/PFX/P12>
Parameters
| Parameter | Description |
|---|---|
-n, --name | Unique Certificate name (mandatory) |
-c, --certificate | Path to a file that contain the certificate. Supported formats are: pem,cer,crt,pfx,p12 |
--certificate-data | Content of the certificate PEM in a Base64 format. It is mandatory to add this parameter OR the --certificate parameter |
--format[=pem] | Certificate Format of the certificate and private key, possible values: cer,crt,pem,pfx,p12 |
--passphrase | Passphrase to decrypt pkcs12/pks certificate data |
-p, --private-key | Path to the file with the certificate's private key. Certificate Format should be the same as provided for the certificate |
--key-data | Content of the certificate's private key PEM in a Base64 format. If this parameter is defined --private-key is disabled. |
-e, --expiration-event-in | How many days before the expiration of the certificate would you like to be notified. To specify multiple events, use argument multiple times: --expiration-event-in 1 --expiration-event-in 5 |
-k, --key | The name of a key to use to encrypt the certificate's key' (if empty, the account default protectionKey key will be used) |
-m, --metadata | Metadata about the certificate |
-t, --tag | List of the tags attached to this certificate. To specify multiple tags use argument multiple times: --tag Tag1 -t Tag2 |
--delete-protection | Protection from accidental deletion of this item, [true/false] |
--profile, --token | Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token |
--uid-token | The universal identity token, Required only for universal_identity authentication |
-h, --help | display help information |
--json[=false] | Set output format to JSON |
--no-creds-cleanup[=false] | Do not clean local temporary expired creds |
Updated 20 days ago