CLI Reference - Certificates

SSH certificates

This section outlines the CLI commands relevant to SSH certificates.

General Flags:

--profile, --token: Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token

--uid-token: The universal identity token, Required only for universal_identity authentication

-h, --help: Display help information

--json[=false]: Set output format to JSON

--jq-expression: JQ expression to filter result output

--no-creds-cleanup[=false]: Do not clean local temporary expired creds

get-ssh-certificate

Generate SSH certificate using Akeyless certificate issuer

Usage
akeyless get-ssh-certificate \
--cert-username <Username to sign> \
--cert-issuer-name <The name of the SSH certificate issuer> \
--public-key-file-path <path/to/SSH public key> \
--public-key-data <key file contents>
Flags

-s, --cert-username : Required, The username to sign in the SSH certificate (use a comma-separated list for more than one username)

-c, --cert-issuer-name: Required, The name of the SSH certificate issuer

-p, --public-key-file-path: SSH public key

-o, --outfile: Output file path with the certificate. If not provided, and public-key-file-path used, the file with the certificate will be created in the same location of the provided public key with the -cert extension

--public-key-data: SSH public key file contents. If this option is used, the certificate will be printed to stdout

-t, --ttl: Updated certificate lifetime in seconds (must be less than the Certificate Issuer default TTL)

--legacy-signing-alg-name[=false]: Set this option to output legacy ('[email protected]') signing algorithm name in the certificate.

create-ssh-cert-issuer

Creates a new SSH certificate issuer

Usage
akeyless create-ssh-cert-issuer \
--name <SSH certificate issuer name> \
--signer-key-name <A key to sign the certificate with> \
--allowed-users <Users allowed to fetch the certificate> \
--ttl <Time To Live for the certificate>
Flags

-n, --name: Required, SSH certificate issuer name

-s, --signer-key-name: Required, A key to sign the certificate with

-a, --allowed-users: Required, Users allowed to fetch the certificate, e.g root, ubuntu

-t, --ttl: Required, The requested Time To Live for the certificate, in seconds

-p, --principals: Signed certificates with principal, e.g example_role1,example_role2

-x, --extensions : Signed certificates with extensions, e.g permit-port-forwarding=""

\--host-provider[=explicit]: Host provider type [explicit/target]

-m, --metadata: A metadata about the issuer

--secure-access-enable: Enable/Disable secure remote access, [true/false]

--secure-access-bastion-api: Bastion's SSH control API endpoint. E.g. https://my.bastion:9900

--secure-access-bastion-ssh: Bastion's SSH server. E.g. my.bastion:22

--secure-access-ssh-creds-user: SSH username to connect to target server, must be in 'Allowed Users' list

--secure-access-host: Target servers for connections., For multiple values repeat this flag.

--secure-access-use-internal-bastion: Use internal SSH Bastion - Relevant only for Secure Remote Access Deployment, mostly when using Dockers. Set the relevant IP address of the SSH Bastion for internal communication between ZT and SSH bastions.

--delete-protection: Protection from accidental deletion of this item, [true/false]

update-ssh-cert-issuer

Updates an existing SSH certificate issuer

Usage
akeyless update-ssh-cert-issuer \
--name <SSH cert issuer name> \
--signer-key-name <A key to sign the certificate with> \
--allowed-users <Users allowed to fetch the certificate> \
--ttl <Time To Live for the certificate>

Flags

-n, --name: Required, SSH certificate issuer name

--new-name: New item name

-s, --signer-key-name: Required, A key to sign the certificate with

-a, --allowed-users: Required, Users allowed to fetch the certificate, e.g root, ubuntu

-t, --ttl: Required, The requested Time To Live for the certificate, in seconds

-p, --principals: Signed certificates with principal, e.g example_role1,example_role2

-x, --extensions: Signed certificates with extensions, e.g permit-port-forwarding=""

\--host-provider[=explicit]: Host provider type [explicit/target]

-m, --metadata: A metadata about the issuer

--add-tag: List of the new tags that will be attached to this item. To specify multiple tags use argument multiple times: --add-tag Tag1 --add-tag Tag2

--rm-tag: List of the existent tags that will be removed from this item. To specify multiple tags use argument multiple times: --rm-tag Tag1 --rm-tag Tag2

--secure-access-enable: Enable/Disable secure remote access, [true/false]

--secure-access-bastion-api: Bastion's SSH control API endpoint. E.g. https://my.bastion:9900

--secure-access-bastion-ssh: Bastion's SSH server. E.g. my.bastion:22

--secure-access-ssh-creds-user: SSH username to connect to target server, must be in 'Allowed Users' list

--secure-access-host: Target servers for connections., For multiple values repeat this flag

--secure-access-use-internal-bastion: Use internal SSH Bastion

PKI certificates

get-pki-certificate

Generates PKI certificate

Usage
akeyless get-pki-certificate \
--cert-issuer-name <PKI issuer name> \
--key-file-path <client Key> \
--ttl <certificate lifetime> 
Flags

-c, --cert-issuer-name: Required, The name of the PKI certificate issuer.

-k, --key-file-path: The client public or private key file path (in case of a private key, it will be use to extract the public key)

--key-data-base64: pki key file contents encoded using Base64. If this option is used, the certificate will be printed to stdout

--csr-file-path: Path to Certificate Signing Request file to generate the certificate with

--csr-data-base64: Certificate Signing Request contents encoded in base64 to generate the certificate with (if csr-file-path is provided this flag is ignored)

--common-name: The common name to be included in the PKI certificate

--alt-names: The Subject Alternative Names to be included in the PKI certificate (in a comma-delimited list)

--uri-sans: The URI Subject Alternative Names to be included in the PKI certificate (in a comma-delimited list)

-t, --ttl: Updated certificate lifetime in seconds (must be less than the Certificate Issuer default TTL)

-e, --extended-key-usage: A comma-separated list of extended key usage requests that will be used for certificate issuance. Supported values: 'clientauth', 'serverauth'.

--extra-extensions: A JSON string that defines the requested extra extensions for the certificate

--extra-extensions-file-path: A path to a file containing a JSON string that defines the requested extra extensions for the certificate

-o, --outfile: Output file path with the certificate. If not provided, the file with the certificate will be created in the same location as the provided public key with the -cert extension

renew-certificate

Renew a PKI certificate

Usage
akeyless renew-certificate \
--name <Certificate name> \
--item-id <Certificate Item-ID>
Flags

-n, --name: Certificate name

-i, --item-id: Certificate item ID

--generate-key: Generate a new key as part of the certificate renewal

create-pki-cert-issuer

Creates a new PKI certificate issuer

Usage
akeyless create-pki-cert-issuer \
--name <PKI issuer name> \
--ttl <The maximum requested Time To Live for issued certificates, in seconds> \
--signer-key-name <A key to sign the certificate with> 
Flags

-n, --name: Required, PKI certificate issuer name

--ca-target: The name of an existing CA target to attach this PKI Certificate Issuer to, required in Public CA mode

-s, --signer-key-name: A key to sign the certificate with

--gw-cluster-url: The GW cluster URL to issue the certificate from, required in Public CA mode

-t, --ttl: Required, The maximum requested Time To Live for issued certificates, in seconds. In case of Public CA, this is based on the CA target's supported maximum TTLs

--allowed-domains: A list of the allowed domains that clients can request to be included in the certificate (in a comma-delimited list)

--allowed-uri-sans: A list of the allowed URIs that clients can request to be included in the certificate as part of the URI Subject Alternative Names (in a comma-delimited list)

--allow-subdomains: If set, clients can request certificates for subdomains and wildcard subdomains of the allowed domains

--not-enforce-hostnames: If set, any names are allowed for CN and SANs in the certificate and not only a valid host name

--allow-any-name: If set, clients can request certificates for any CN

--not-require-cn: If set, clients can request certificates without a CN.

--server-flag : If set, certificates will be flagged for server auth use

--client-flag : If set, certificates will be flagged for client auth use.

--code-signing-flag : If set, certificates will be flagged for code signing use.

--key-usage[=DigitalSignature,KeyAgreement,KeyEncipherment]: A comma-separated string or list of key usages

--organization-units : A comma-separated list of organizational units (OU) that will be set in the issued certificate.

--organizations : A comma-separated list of organizations (O) that will be set in the issued certificate.

--country : A comma-separated list of the country that will be set in the issued certificate.

--locality: A comma-separated list of the locality that will be set in the issued certificate.

--province: A comma-separated list of the province that will be set in the issued certificate.

--street-address: A comma-separated list of the street address that will be set in the issued certificate.

--postal-code: A comma-separated list of the postal code that will be set in the issued certificate.

--destination-path: A path in Akeyless which to save generated certificates

--protect-certificates: Whether to protect generated certificates from deletion

--is-ca: If set, the basic constraints extension will be added to the certificate

-e, --expiration-event-in: How many days before the expiration of the certificate would you like to be notified, To specify multiple events, use the argument multiple times: --expiration-event-in 1 --expiration-event-in 5

--allowed-extra-extensions: A JSON string that defines the allowed extra extensions for the PKI cert issuer, e.g. '{"<OID>":["<Vlaue>"]}'

--allowed-extra-extensions-file-path: A path to a file containing a JSON string that defines the allowed extra extensions for the PKI cert issuer

--allow-copy-ext-from-csr: If set, will allow copying the extra extensions from the CSR file (if given)

--description: Description of the object

--delete-protection: Protection from accidental deletion of this item, [true/false]

--tag: List of the tags attached to this key. To specify multiple tags use argument multiple times: --tag Tag1 --tag Tag2

update-pki-cert-issuer

Updates a new PKI certificate issuer

Usage
akeyless update-pki-cert-issuer \
--name <PKI issuer name> \
--ttl <The maximum requested Time To Live for issued certificates, in seconds> \ 
--new-name <New item name> \
--signer-key-name <A key to sign the certificate with> 

Flags

-n, --name: Required, PKI certificate issuer name

--new-name: New item name

-s, --signer-key-name: A key to sign the certificate with

-t, --ttl: Required, The maximum requested Time To Live for issued certificates, in seconds. In case of Public CA, this is based on the CA target's supported maximum TTLs

--gw-cluster-url: The GW cluster URL to issue the certificate from, required in Public CA mode

--allowed-uri-sans: A list of the allowed URIs that clients can request to be included in the certificate as part of the URI Subject Alternative Names (in a comma-delimited list)

--allow-subdomains: If set, clients can request certificates for subdomains and wildcard subdomains of the allowed domains

--not-enforce-hostnames: If set, any names are allowed for CN and SANs in the certificate and not only a valid host name

--allow-any-name: If set, clients can request certificates for any CN

--not-require-cn: If set, clients can request certificates without a CN

--server-flag: If set, certificates will be flagged for server auth use

--client-flag: If set, certificates will be flagged for client auth use

--code-signing-flag: If set, certificates will be flagged for code signing use

--key-usage[=DigitalSignature, KeyAgreement, KeyEncipherment]: A comma-separated string or list of key usages

--organization-units: A comma-separated list of organizational units (OU) that will be set in the issued certificate

--organizations: A comma-separated list of organizations (O) that will be set in the issued certificate

--country: A comma-separated list of the country that will be set in the issued certificate

--locality: A comma-separated list of the locality that will be set in the issued certificate

--province: A comma-separated list of the province that will be set in the issued certificate

--street-address: A comma-separated list of the street address that will be set in the issued certificate

--postal-code: A comma-separated list of the postal code that will be set in the issued certificate

--destination-path: A path in Akeyless which to save generated certificates

--protect-certificates: Whether to protect generated certificates from deletion

--is-ca: If set, the basic constraints extension will be added to the certificate

--expiration-event-in: How many days before the expiration of the certificate would you like to be notified. To specify multiple events, use the argument multiple times: --expiration-event-in 1 --expiration-event-in 5

--allowed-extra-extensions: A JSON string that defines the allowed extra extensions for the PKI cert issuer

--allowed-extra-extensions-file-path: A path to a file containing a JSON string that defines the allowed extra extensions for the PKI cert issuer.

--allow-copy-ext-from-csr: If set, will allow copying the extra extensions from the CSR file (if given)

--description: Description of the object

--delete-protection: Protection from accidental deletion of this item, [true/false]

--add-tag: List of the new tags that will be attached to this item. To specify multiple tags use the argument multiple times: --add-tag Tag1 --add-tag Tag2

--rm-tag: List of the existent tags that will be removed from this item. To specify multiple tags use the argument multiple times: --rm-tag Tag1 --rm-tag Tag2

generate-csr

Generates a new Certificate Signing Request (CSR)

Usage
Flags

-n, --name: Required, Full path to the Classic Key that will sign the CSR

-g, --generate-key: Use this flag to generate a new classic key to sign the CSR - A name must be specified for the new key

\-k, --key-type[=classic-key]: The type of the key to generate (classic-key/dfc)

-a, --alg: Algorithm to use for generating the new key (RSA1024, RSA2048, RSA3072, RSA4096, EC256, EC384)

-c, --common-name: Required, common name to be included in the CSR certificate

--certificate-type: certificate type to be included in the CSR certificate (ssl-client/ssl-server/certificate-signing)

--critical: add critical to the key usage extension (will be false if not added)

--org: organization to be included in the CSR

--dep: department to be included in the CSR

--city: city to be included in the CSR

--state: state to be included in the CSR

--country: country to be included in the CSR

--alt-names: a comma-separated list of dns alternative names

--email-addresses: a comma-separated list of email addresses alternative names

--ip-addresses: a comma-separated list of ip addresses alternative names

--uri-sans: a comma-separated list of uri alternative names

-u, --gateway-url[=http://localhost:8000]: API Gateway URL http://Your-Akeyless-Gateway-URL:8000

--description: Description of the object

get-kube-exec-creds

Gets credentials for authentication with Kubernetes cluster based on a PKI Cert Issuer

Usage
akeyless get-kube-exec-creds \
--cert-issuer-name <PKI cert issuer name> \
--key-file-path <The client public or private key file path> \
--alt-names <The Subject Alternative Names to be included in the PKI certificate> \ 
--ttl <Updated certificate lifetime in seconds>
Flags

-c, --cert-issuer-name : Required, The name of the PKI certificate issuer.

-k, --key-file-path: The client public or private key file path (in case of a private key, it will be use to extract the public key)

--key-data-base64: pki key file contents encoded using Base64. If this option is used, the certificate will be printed to stdout

--csr-file-path: Path to Certificate Signing Request file to generate the certificate with

--csr-data-base64: Certificate Signing Request contents encoded in base64 to generate the certificate with (if csr-file-path is provided this flag is ignored)

--common-name: The common name to be included in the PKI certificate.

--alt-names: The Subject Alternative Names to be included in the PKI certificate (in a comma-delimited list).

--uri-sans: The URI Subject Alternative Names to be included in the PKI certificate (in a comma-delimited list).

-t, --ttl: Updated certificate lifetime in seconds (must be less than the Certificate Issuer default TTL)

-e, --extended-key-usage: A comma-separated list of extended key usage requests which will be used for certificate issuance. Supported values: 'clientauth', 'serverauth'.

-o, --outfile: Output file path with the certificate. If not provided, the file with the certificate will be created in the same location of the provided public key with the -cert extension

-a, --api-version[=v1]: The version of the client authentication API

Certificate Storage

create-certificate

Creates a new certificate to store

Usage
akeyless create-certificate \
--name <certificate-name> \
--certificate <path-to-certificate-PEM/CER/CRT/PFX/P12>
Flags

-n, --name: Required, Unique Certificate name (mandatory)

-c, --certificate: Required, Path to a file that contain the certificate. Supported formats are: pem,cer,crt,pfx,p12.

--certificate-data: Content of the certificate PEM/CER/CRT/PFX/P12 in a Base64 format. It is mandatory to add this OR the --certificate

--format[=pem]: Certificate Format of the certificate and private key, possible values: cer,crt,pem,pfx,p12

--passphrase: Passphrase to decrypt pkcs12/pks certificate data

-p, --private-key: Path to the file with the certificate's private key. Certificate Format should be the same as provided for the certificate

--key-data: Content of the certificate's private key PEM in a Base64 format. If this is defined --private-key is disabled.

-e, --expiration-event-in: How many days before the expiration of the certificate would you like to be notified. To specify multiple events, use argument multiple times: --expiration-event-in 1 --expiration-event-in 5

-k, --key: The name of a key to use to encrypt the certificate's key' (if empty, the account default protectionKey key will be used)

-m, --metadata: Metadata about the certificate

-t, --tag: List of the tags attached to this certificate. To specify multiple tags use argument multiple times: --tag Tag1 -t Tag2

--delete-protection: Protection from accidental deletion of this item, [true/false]

get-certificate-value

Gets the certificate's PEM, and the private key's PEM if it exists, in a JSON file

Usage
akeyless get-certificate-value --name <certificate-name>
Flags

-n, --name: Required, Certificate name

-d, --display-id: Certificate display ID

--version: Certificate version

-c, --cert-issuer-name: The parent PKI Certificate Issuer's name of the certificate, required when used with display-id and token

--certificate-file-output: File to write the certificates to

--private-key-file-output: File to write the private key to

--issuance-token: Token for getting the issued certificate

update-certificate-value

Updates the data in an existing certificate

Usage
akeyless update-certificate-value \
--name <certificate-name> \
--certificate <path-to-certificate-PEM/CER/CRT/PFX/P12>
Flags

-n, --name: Required, Certificate name

-c, --certificate: Path to a file that contain the certificate. Supported formats are: pem,cer,crt,pfx,p12

--certificate-data: Content of the certificate PEM in a Base64 format. It is mandatory to add this OR the --certificate

--format[=pem]: Certificate Format of the certificate and private key, possible values: cer,crt,pem,pfx,p12

--passphrase: Passphrase to decrypt pkcs12/pks certificate data

-p, --private-key: Path to the file with the certificate's private key. Certificate Format should be the same as provided for the certificate

--key-data: Content of the certificate's private key PEM in a Base64 format. If this is defined --private-key is disabled.

-e, --expiration-event-in: How many days before the expiration of the certificate would you like to be notified. To specify multiple events, use argument multiple times: --expiration-event-in 1 --expiration-event-in 5

-k, --key: The name of a key to use to encrypt the certificate's key' (if empty, the account default protectionKey key will be used)

-m, --metadata: Metadata about the certificate

-t, --tag: List of the tags attached to this certificate. To specify multiple tags use argument multiple times: --tag Tag1 -t Tag2

--delete-protection: Protection from accidental deletion of this item, [true/false]

provision-certificate

Provision a certificate content to a target

Usage
akeyless provision-certificate \
--name <Certificate name> \
--item-id <Certificate Item-ID>
Flags

-n, --name: Certificate name

-I, --item-id: Certificate item ID

-d, --display-id: Certificate display ID