CLI Reference - Certificates

SSH certificates

get-ssh-certificate

Generates SSH certificate.

Please note: mandatory values for this command: -s , --cert-username , -c, --cert-issuer-name

Usage
akeyless get-ssh-certificate --cert-username <Username to sign> \
--cert-issuer-name <he name of the SSH certificate issuer> \
--public-key-file-path <path/to/SSH public key> \
--public-key-data <key file contents>
Parameters
ParameterDescription
-s, --cert-username (Mandatory) The username to sign in the SSH certificate (use a comma-separated list for more than one username)
-c, --cert-issuer-name(Mandatory) The name of the SSH certificate issuer
-p, --public-key-file-pathSSH public key
-o, --outfileOutput file path with the certificate. If not provided, and public-key-file-path used, the file with the certificate will be created in the same location of the provided public key with the -cert extension
--public-key-dataSSH public key file contents. If this option is used, the certificate will be printed to stdout
-t, --ttlUpdated certificate lifetime in seconds (must be less than the Certificate Issuer default TTL)
--legacy-signing-alg-name[=false]Set this option to output legacy ('[email protected]') signing algorithm name in the certificate.
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

create-ssh-cert-issuer

Creates a new SSH certificate issuer.

Please note: mandatory values for this command: -n, --name, -s, --signer-key-name , -a, --allowed-users, -t, --ttl

Usage
akeyless create-ssh-cert-issuer --name <SSH certificate issuer name> \
--signer-key-name <A key to sign the certificate with> \
--allowed-users <Users allowed to fetch the certificate, e.g root, ubuntu> \
--ttl <The requested Time To Live for the certificate, in seconds>
Parameters
ParameterDescription
-n, --name(Mandatory) SSH certificate issuer name
-s, --signer-key-name(Mandatory) A key to sign the certificate with
-a, --allowed-users(Mandatory) Users allowed to fetch the certificate, e.g root, ubuntu
-t, --ttl(Mandatory) The requested Time To Live for the certificate, in seconds
-p, --principals Signed certificates with principal, e.g example_role1,example_role2
-x, --extensions Signed certificates with extensions, e.g permit-port-forwarding=""
-m, --metadataA metadata about the issuer
--secure-access-enableEnable/Disable secure remote access, [true/false]
--secure-access-bastion-apiBastion's SSH control API endpoint. E.g. https://my.bastion:9900
--secure-access-bastion-sshBastion's SSH server. E.g. my.bastion:22
--secure-access-ssh-creds-userSSH username to connect to target server, must be in 'Allowed Users' list
--secure-access-hostTarget servers for connections., For multiple values repeat this flag.
--secure-access-use-internal-bastionUse internal SSH Bastion - Relevant only for Secure Remote Access Deployment, mostly when using Dockers. Set the relevant IP address of the SSH Bastion for internal communication between ZT and SSH bastions.
--delete-protectionProtection from accidental deletion of this item, [true/false]
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

update-ssh-cert-issuer

Updates a new SSH certificate issuer

Please note: mandatory values for this command: -n, --name, -s, --signer-key-name, -a, --allowed-users, -t, --ttl

Usage
akeyless update-ssh-cert-issuer --name <SSH cert issuer name> \
--signer-key-name <A key to sign the certificate with> \
--allowed-users <Users allowed to fetch the certificate, e.g root,ubuntu>\
--ttl <The requested Time To Live for the certificate, in seconds>

Parameters

ParameterDescription
-n, --name(Mandatory) SSH certificate issuer name
--new-nameNew item name
-s, --signer-key-name(Mandatory) A key to sign the certificate with
-a, --allowed-users(Mandatory) Users allowed to fetch the certificate, e.g root,ubuntu
-t, --ttl(Mandatory) The requested Time To Live for the certificate, in seconds
-p, --principalsSigned certificates with principal, e.g example_role1,example_role2
-x, --extensionsSigned certificates with extensions, e.g permit-port-forwarding=""
-m, --metadataA metadata about the issuer
--add-tagList of the new tags that will be attached to this item. To specify multiple tags use argument multiple times: --add-tag Tag1 --add-tag Tag2
--rm-tagList of the existent tags that will be removed from this item. To specify multiple tags use argument multiple times: --rm-tag Tag1 --rm-tag Tag2
--secure-access-enableEnable/Disable secure remote access, [true/false]
--secure-access-bastion-apiBastion's SSH control API endpoint. E.g. https://my.bastion:9900
--secure-access-bastion-sshBastion's SSH server. E.g. my.bastion:22
--secure-access-ssh-creds-userSSH username to connect to target server, must be in 'Allowed Users' list
--secure-access-hostTarget servers for connections., For multiple values repeat this flag
--secure-access-use-internal-bastionUse internal SSH Bastion
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

PKI certificates

get-pki-certificate

Generates PKI certificate

Please note: mandatory values for this command: -c, --cert-issuer-name

Usage
akeyless get-pki-certificate --cert-issuer-name <name of PKI issuer> \
--key-file-path <client Public or Private Key> \
--ttl <Updated certificate lifetime in seconds> 
--alt-names <The Subject Alternative Names to be included in the PKI certificate>
Parameters
ParameterDescription
-c, --cert-issuer-name(Mandatory) The name of the PKI certificate issuer.
-k, --key-file-pathThe client public or private key file path (in case of a private key, it will be use to extract the public key)
--key-data-base64pki key file contents encoded using Base64. If this option is used, the certificate will be printed to stdout
--csr-file-pathPath to Certificate Signing Request file to generate the certificate with
--csr-data-base64Certificate Signing Request contents encoded in base64 to generate the certificate with (if csr-file-path is provided this flag is ignored)
--common-nameThe common name to be included in the PKI certificate
--alt-namesThe Subject Alternative Names to be included in the PKI certificate (in a comma-delimited list)
--uri-sansThe URI Subject Alternative Names to be included in the PKI certificate (in a comma-delimited list)
-t, --ttlUpdated certificate lifetime in seconds (must be less than the Certificate Issuer default TTL)
-e, --extended-key-usageA comma-separated list of extended key usage requests which will be used for certificate issuance. Supported values: 'clientauth', 'serverauth'.
-o, --outfileOutput file path with the certificate. If not provided, the file with the certificate will be created in the same location of the provided public key with the -cert extension
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

create-pki-cert-issuer

Creates a new PKI certificate issuer.

Please note: mandatory values for this command: -n, --name, -s, --signer-key-name, -t, --ttl

Usage
akeyless create-pki-cert-issuer --name <PKI issuer name> \
--signer-key-name <A key to sign the certificate with> \
--ttl <The requested Time To Live for the certificate, in seconds> \
--allowed-domains <Allowed domains that clients can request to be included in the certificate> \
--allow-any-name <If set, clients can request certificates for any CN>
Parameters
ParameterDescription
-n, --name(Mandatory) PKI certificate issuer name
-s, --signer-key-name(Mandatory) A key to sign the certificate with
-t, --ttl(Mandatory) The requested Time To Live for the certificate, in seconds
--ca-targetThe name of an existing CA target to attach this PKI Certificate Issuer to, required in Public CA mode
--gw-cluster-urlThe GW cluster URL to issue the certificate from, required in Public CA mode
--allowed-domainsA list of the allowed domains that clients can request to be included in the certificate (in a comma-delimited list)
--destination-pathA path in Akeyless which to save generated certificates
--allowed-uri-sansA list of the allowed URIs that clients can request to be included in the certificate as part of the URI Subject Alternative Names (in a comma-delimited list)
--allow-subdomainsIf set, clients can request certificates for subdomains and wildcard subdomains of the allowed domains
--not-enforce-hostnamesIf set, any names are allowed for CN and SANs in the certificate and not only a valid host name
--allow-any-nameIf set, clients can request certificates for any CN
--not-require-cnIf set, clients can request certificates without a CN.
--server-flag If set, certificates will be flagged for server auth use
--client-flag If set, certificates will be flagged for client auth use.
--code-signing-flag If set, certificates will be flagged for code signing use.
--key-usage[=DigitalSignature,KeyAgreement,KeyEncipherment]A comma-separated string or list of key usages
-e, --expiration-event-inHow many days before the expiration of the certificate would you like to be notified. To specify multiple events, use argument multiple times: --expiration-event-in 1 --expiration-event-in 5
--organization-units A comma-separated list of organizational units (OU) that will be set in the issued certificate.
--organizations A comma-separated list of organizations (O) that will be set in the issued certificate.
--country A comma-separated list of the country that will be set in the issued certificate.
--localityA comma-separated list of the locality that will be set in the issued certificate.
--provinceA comma-separated list of the province that will be set in the issued certificate.
--street-addressA comma-separated list of the street address that will be set in the issued certificate.
--postal-codeA comma-separated list of the postal code that will be set in the issued certificate.
-m, --metadata A metadata about the issuer
--tagList of the tags attached to this key. To specify multiple tags use argument multiple times: --tag Tag1 --tag Tag2
--delete-protectionProtection from accidental deletion of this item, [true/false]
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

update-pki-cert-issuer

Updates a new PKI certificate issuer

Please note: mandatory values for this command: -n, --name, -s, --signer-key-name, -t, --ttl

Usage
akeyless update-pki-cert-issuer --name <PKI certificate issuer name> \
--new-name <New item name>
--signer-key-name <A key to sign the certificate with> \
--ttl <The requested Time To Live for the certificate, in seconds> \ 
--allowed-domains <Allowed domains that clients can request to be included in the certificate>

Parameters

ParameterDescription
-n, --name(Mandatory) PKI certificate issuer name
--new-nameNew item name
-s, --signer-key-name(Mandatory) A key to sign the certificate with
-t, --ttl(Mandatory) The requested Time To Live for the certificate, in seconds
--gw-cluster-urlThe GW cluster URL to issue the certificate from, required in Public CA mode
--allowed-uri-sansA list of the allowed URIs that clients can request to be included in the certificate as part of the URI Subject Alternative Names (in a comma-delimited list)
--allow-subdomainsIf set, clients can request certificates for subdomains and wildcard subdomains of the allowed domains
--not-enforce-hostnamesIf set, any names are allowed for CN and SANs in the certificate and not only a valid host name
--allow-any-nameIf set, clients can request certificates for any CN
--not-require-cnIf set, clients can request certificates without a CN
--server-flagIf set, certificates will be flagged for server auth use
--client-flagIf set, certificates will be flagged for client auth use
--code-signing-flagIf set, certificates will be flagged for code signing use
--key-usage[=DigitalSignature, KeyAgreement, KeyEncipherment]A comma-separated string or list of key usages
--organization-unitsA comma-separated list of organizational units (OU) that will be set in the issued certificate
--organizationsA comma-separated list of organizations (O) that will be set in the issued certificate
--countryA comma-separated list of the country that will be set in the issued certificate
--localityA comma-separated list of the locality that will be set in the issued certificate
--provinceA comma-separated list of the province that will be set in the issued certificate
--street-addressA comma-separated list of the street address that will be set in the issued certificate
--postal-codeA comma-separated list of the postal code that will be set in the issued certificate
-m, --metadataA metadata about the issuer
--add-tagList of the new tags that will be attached to this item. To specify multiple tags use argument multiple times: --add-tag Tag1 --add-tag Tag2
--rm-tagList of the existent tags that will be removed from this item. To specify multiple tags use argument multiple times: --rm-tag Tag1 --rm-tag Tag2
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

get-kube-exec-creds

Get credentials for authentication with Kubernetes cluster based on a PKI Cert Issuer

Please note: mandatory values for this command: -c, --cert-issuer-name

Usage
akeyless get-kube-exec-creds --cert-issuer-name <PKI cert issuer name> \
--key-file-path <The client public or private key file path> \
--alt-names <The Subject Alternative Names to be included in the PKI certificate> \ 
--ttl <Updated certificate lifetime in seconds>
Parameters
ParameterDescription
-c, --cert-issuer-name (Mandatory) The name of the PKI certificate issuer.
-k, --key-file-pathThe client public or private key file path (in case of a private key, it will be use to extract the public key)
--key-data-base64pki key file contents encoded using Base64. If this option is used, the certificate will be printed to stdout
--common-nameThe common name to be included in the PKI certificate.
--alt-namesThe Subject Alternative Names to be included in the PKI certificate (in a comma-delimited list).
--uri-sansThe URI Subject Alternative Names to be included in the PKI certificate (in a comma-delimited list).
-t, --ttlUpdated certificate lifetime in seconds (must be less than the Certificate Issuer default TTL)
-e, --extended-key-usageA comma-separated list of extended key usage requests which will be used for certificate issuance. Supported values: 'clientauth', 'serverauth'.
-o, --outfileOutput file path with the certificate. If not provided, the file with the certificate will be created in the same location of the provided public key with the -cert extension
-a, --api-version[=v1]The version of the client authentication API
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication

Certificate Storage

create-certificate

Creates a new certificate to store.

Usage
akeyless create-certificate -n <certificate-name> -c <path-to-certificate-PEM/CER/CRT/PFX/P12>
Parameters
ParameterDescription
-n, --nameUnique Certificate name (mandatory)
-c, --certificatePath to a file that contain the certificate. Supported formats are: pem,cer,crt,pfx,p12.
--certificate-dataContent of the certificate PEM/CER/CRT/PFX/P12 in a Base64 format. It is mandatory to add this parameter OR the --certificate parameter
--format[=pem]Certificate Format of the certificate and private key, possible values: cer,crt,pem,pfx,p12
--passphrasePassphrase to decrypt pkcs12/pks certificate data
-p, --private-keyPath to the file with the certificate's private key. Certificate Format should be the same as provided for the certificate
--key-dataContent of the certificate's private key PEM in a Base64 format. If this parameter is defined --private-key is disabled.
-e, --expiration-event-inHow many days before the expiration of the certificate would you like to be notified. To specify multiple events, use argument multiple times: --expiration-event-in 1 --expiration-event-in 5
-k, --keyThe name of a key to use to encrypt the certificate's key' (if empty, the account default protectionKey key will be used)
-m, --metadataMetadata about the certificate
-t, --tagList of the tags attached to this certificate. To specify multiple tags use argument multiple times: --tag Tag1 -t Tag2
--delete-protectionProtection from accidental deletion of this item, [true/false]
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication
-h, --helpdisplay help information
--json[=false]Set output format to JSON
--no-creds-cleanup[=false]Do not clean local temporary expired creds

get-certificate-value

This command will return the certificate's PEM, and the private key's PEM if it exists, in a JSON file.

Usage
akeyless get-certificate-value -n <certificate-name>
Parameters
-n, --nameCertificate name (Mandatory)
-d, --display-idCertificate display ID
--versionCertificate version
-c, --cert-issuer-nameThe parent PKI Certificate Issuer's name of the certificate, required when used with display-id and token
--certificate-file-outputFile to write the certificates to
--private-key-file-outputFile to write the private key to
--issuance-tokenToken for getting the issued certificate
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication
-h, --helpdisplay help information
--json[=false]Set output format to JSON
--no-creds-cleanup[=false]Do not clean local temporary expired creds

update-certificate-value

This command will update the data in an existing certificate.

Usage
akeyless update-certificate-value -n <certificate-name> -c <path-to-certificate-PEM/CER/CRT/PFX/P12>
Parameters
ParameterDescription
-n, --nameUnique Certificate name (mandatory)
-c, --certificatePath to a file that contain the certificate. Supported formats are: pem,cer,crt,pfx,p12
--certificate-dataContent of the certificate PEM in a Base64 format. It is mandatory to add this parameter OR the --certificate parameter
--format[=pem]Certificate Format of the certificate and private key, possible values: cer,crt,pem,pfx,p12
--passphrasePassphrase to decrypt pkcs12/pks certificate data
-p, --private-keyPath to the file with the certificate's private key. Certificate Format should be the same as provided for the certificate
--key-dataContent of the certificate's private key PEM in a Base64 format. If this parameter is defined --private-key is disabled.
-e, --expiration-event-inHow many days before the expiration of the certificate would you like to be notified. To specify multiple events, use argument multiple times: --expiration-event-in 1 --expiration-event-in 5
-k, --keyThe name of a key to use to encrypt the certificate's key' (if empty, the account default protectionKey key will be used)
-m, --metadataMetadata about the certificate
-t, --tagList of the tags attached to this certificate. To specify multiple tags use argument multiple times: --tag Tag1 -t Tag2
--delete-protectionProtection from accidental deletion of this item, [true/false]
--profile, --tokenUse a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--uid-tokenThe universal identity token, Required only for universal_identity authentication
-h, --helpdisplay help information
--json[=false]Set output format to JSON
--no-creds-cleanup[=false]Do not clean local temporary expired creds