PKI/TLS Certificates
Introduction
Akeyless can act as a Certificate Authority (CA) for the internal environment. This page focuses on PKI/TLS certificates, if you wish to see how to create and work with SSH certificates, please follow this link
Working with Certificates in the CLI
Prerequisites
- Create or upload a CA private key and a CA certificate to sign the certificates.
Note
If you create your CA Private Key in the Akeyless Console, make sure that it is a DFC key.
In order to configure a CA, you will first need an RSA key to match. You can either use an existing key or create a new one. Once you are logged in to your Akeyless account on the desired server, proceed to one of the following:
In case you want to use an existing key, upload your CA (RSA private key) for signing the client TLS certificate, using the following command:
akeyless upload-rsa --name <your-RSA-key-name> --alg <RSA2048> --rsa-key-file-path <Path-to-RSA.pem>
Alternatively, you can create a new RSA key in Akeyless Platform:
akeyless create-key --name <your-RSA-key-name> --alg <RSA2048>
After you have the desired key on the server, display your key using the following command:
akeyless get-rsa-public --name <your-RSA-key-name>
The output should look like this:
- RAW: MIIBIjANBgkqhkiG9w0BAQEFAAOCOA89zPvRJc7VWRu72wR9muOdHX3vP7bscR+fGgKuOn1XPXBPjsOmo
- SSH: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABzfIqG4wUJFTWCemKV5Z0blvxzUuZnkWUHRdSnowxXyANqQcZ
- PEM: -----BEGIN RSA PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8w0BAQEFAAOCAQAQdfIsN7oV4BZdlj9PT8
WgAaZ+XdAcQeElmSEgetlQ3INYfdUzOEwroj4RlscYhKPeF730gkVv502+LCLeC3
53jYUnUvYUnUnm33Sa/uY31iXrMKQcP6QJ2IauY31iXrMKQcP6QJ2IauY31iXrMK
l4BfQzeHV23YLvCLDRVB5YxXHogQ00IDGjYFPbp3KuYVqIZiDcTdmQ0HsHE28bQe
-----END RSA PUBLIC KEY-----
Creating a Certificate Issuer:
A PKI/TLS Certificate Issuer (CI) enables you to issue ephemeral TLS certificates for your workloads and network resources whenever TLS encryption during data transit is required.To create a CI that defines the certificate template used to issue the TLS certificates, use the following command and parameters:
The following command will create a new PKI Issuer in the Akeyless Platform with ancillary data.
-n, --name
: The name that will be assigned to the new Cert Issuer-s, --signer-key-name
: The private key to be used for certificate signing-t, --ttl
: The time (in seconds) to the expiration of the certificate
For additional optional parameters like flags, allowed domains, and others, please check the CLI Reference
akeyless create-pki-cert-issuer -n <my_pki_cert_issuer> -s <your-RSA-key-name> --ttl 86400
Issuing a Certificate:
- To issue and sign a new PKI/TLS certificate, use the following command:
akeyless get-pki-certificate -c <my_pki_cert_issuer> -k <path to public/private key> -o pki-certificate.pem
The main parameters are:
-c, --cert-issuer-name
: (Mandatory) The name of the PKI certificate issuer-k, --key-file-path
: The client public or private key (PEM format) file path (in case of a private key, it will be use to extract the public key)--csr-file-path
: Alternatively, you can use the path to the Certificate Signing Request file to generate the certificate with.-o, --outfile
: Output file path with the certificate. If not provided, the file with the certificate will be created in the same location as the provided public key with the -cert extension
for alternative and additional parameters, please go to the command reference.
Working with Certificates in the Console
Prerequisites
Creating a CA private key to sign the certificates:
-
Log in to the Akeyless Console, and go to Secrets & Keys > New > Encryption Key>DFC.
-
Define a Name of the key, and specify the Location as a path to the virtual folder where you want to create the new key, using slash
/
separators. If the folder does not exist, it will be created together with the key. -
Define the remaining parameters as follows:
-
Description: general description of the key (optional).
-
Tags: assign tags to the key (optional).
-
Delete Protection: When enabled, protects the secret from accidental deletion.
-
Type: The encryption algorithm used for the key.
-
Customer Fragment: If you have an existing customer fragment, you may attach it to the key. If you wish to generate one, please refer to these instructions.
Creating a Certificate Issuer
-
Go to Secrets & Keys > New > PKI Cert Issuer
-
Define a Name of the cert issuer, and specify the Location as a path to the virtual folder where you want to create it, using slash
/
separators. If the folder does not exist, it will be created together with the cert issuer. -
Define the remaining parameters as follows:
-
Description: General description of the key (optional).
-
Tags: Assign tags to the key (optional).
-
Delete Protection: When enabled, protects the secret from accidental deletion.
-
Signer Key: The name of the linked key you defined in advance and used in steps 4-5.
-
Certificate Lifetime in Seconds: The time (in seconds) to the expiration of the certificate.
-
Allowed domains list: Specify the allowed domains for the certificates issued.
-
Allowed URI sans: Specify the allowed URI for the certificates issued.
- The description for the advanced and location parameters can be found here.
Issuing a Certificate
In order to issue an TLS certificate using an existing PKI issuer through the console, go through the following steps:
-
Go to the folder in which your certificate issuer is located and select it.
-
Under the key details, you will see a button reading Generate PKI Certificate, tap it.
-
Fill in the public key (PEM format), which can be either copied in or uploaded from file.
-
Tap generate, and if all parameters are valid, you will get a certificate.
Updated 21 days ago