Public CA
Working with Public CA
Akeyless supports ZeroSSL and GlobalSign as a Public CA.
The public certificate authority will sign and issue the certificate, while Akeyless will store and manage the certificate lifetime.
The issuance flow utilizes ZeroSSL or GlobalSign Traget with Akeyless PKI Issuer, ensuring full automation and storage of your public certificate while providing real-time expiration notification inside the Event Center to manage the life time of your certificates.
Prerequisites
- An Akeyless Gateway to interact with the Public Certificate Authority.
- A ZeroSSL Target or a GlobalSign Target.
PKI Cert issuer with a Target
Run the following command to create a PKI Certificate Issuer with a ZeroSSL or GlobalSign Target:
akeyless create-pki-cert-issuer \
--name <PKI Issuer name> \
--ca-target <Path/To/Target/>
--gw-cluster-url <https://akeyless-gw-url:8000> \
--ttl <7776000> \
--allowed-domains <domain1.com,domain2.com> \
--destination-path </Certificate/Storage/Folder> \
--expiration-event-in <5>
Where:
--name
: A unique name for the PKI issuer item. The name can include a path to the virtual folder where you want to create a new PKI cert issuer using the slash/
separators. If the folder does not exist, it will be created together with the item.--ca-target
: The name of an existing CA target to attach this PKI Certificate Issuer.--gw-cluster-url
: Akelyess GW URL.--ttl
: The maximum requested Time To Live for issued certificates in seconds.--allowed-domains
: A list of domains that will be allowed to issue certificates for using this item.--destination-path
: A path in Akeyless for Certificate Storage, the issued certificate will be stored under this folder.--expiration-event-in
: How many days before the expiration of the certificate would you like to be notified. To specify multiple events, use argument multiple times:--expiration-event-in 1
--expiration-event-in 5
Issuing a certificate
Run the following OpenSSL command to create a new CSR:
openssl req -new -newkey rsa:2048 -nodes -keyout <Key_Name>.key -out <CSR_Name>.csr
Note
The
Common Name
field (e.g., server FQDN) - Should be listed under theallowed-domains
as configured in the PKI Issuer item.
To issue a new certificate, run the following command:
akeyless get-pki-certificate -c <PKI Issuer name> --csr-file-path MyCSR.csr
The output of this command contains the following values:
display ID
- Certificate display IDissuance token
- Token for getting the issued certificate once it's validated
To retrieve the certificate, run the following command:
akeyless get-certificate-value -c <Issuer Name> -d <display ID> --issuance-token <issuance token>
Once the certificate issue request is processed, a validation email will be sent to the email address listed in the Target, and it will be processed automatically by the Gateway
The issued Certificate item should be created under the destination-path
storage folder inside Akeyless.
Updated 3 months ago