PKI Certificate Issuer
Introduction
Akeyless can act as a Certificate Authority (CA) for the internal environment. This page focuses on PKI/TLS certificates, if you wish to see how to create and work with SSH certificates, please follow this link.
To start building your chain of trust using Akeyless PKI Issuer, you can either bring your own CA certificate with the signing RSA key or simply generate your CA certificate as part of the signing key creation.
Using the PKI Issuer templates alongside the defined constraints enables maximum security with common PKI use cases, for example, limiting a PKI Issuer to accept issuance requests of specific key types and algorithms for example RSA4096 for specific Allowed Domains while templating the resulted certificate to use a specific list of Key Usage with a well defined Location settings.
In case you want to use your existing key, upload your RSA private key with the matching certificate for signing intermediate CA or leaf certificates based on your chain of trust, using the following command:
akeyless upload-rsa \
--name <Key Name> \
--alg <RSA2048> \
--rsa-key-file-path </path/to/RSAKey.pem> \
--cert </path/to/CACert>
Alternatively, you can create a new RSA key with a self-signed certificate:
- Create a CSR configuration file for example:
cat <<EOF > csr.conf
countryName = US
stateOrProvinceName = NY
localityName = NY
organizationName = Akeyless
organizationalUnitName = Security
commonName = akeylessSign
[ v3_req ]
basicConstraints = critical, CA:TRUE
keyUsage = critical, keyCertSign, digitalSignature ,cRLSign
EOF
- Create the Singer Key:
akeyless create-dfc-key \
--name <RSA-key-name> \
--alg RSA2048 \
--generate-self-signed-certificate true \
--certificate-ttl 365 \
--conf-file-path ./csr.conf
You can find the complete list of parameters for this command in the CLI-Reference-Encryption-Keys section.
Note
The example above demonstares a very basic usage of Singer key, to support all PKI settings You can work with Classic Keys as well to generate a signing key with a self-signed certificate.
Creating a Certificate Issuer
A PKI Issuer enables you to issue certificates while the certificate templates are well-defined at the issuer level. To create the PKI Issuer, use the following command:
akeyless create-pki-cert-issuer \
--name <my_pki_cert_issuer> \
--signer-key-name <RSA-key-name> \
--ttl 30d \
--destination-path /path/to/store/issued/certificates \
--create-public-crl \
--gw-cluster-url <https://Gateway URL:8000> \
--expiration-event-in 30 \
--allowed-extra-extensions '{"OID":["Value"]}'
Where:
-
name
: The name that will be assigned to the new Cert Issuer -
signer-key-name
: The CA private key which contains the root certificate to be used for certificate signing -
ttl
: The time to live of the issued certificates supported units ares,m,h,d
-
destination-path
: A path in Akeyless to save generated certificates using the issued certs under this path, to work with advanced features and events. Required for CRL -
create-public-crl
: Optional, to maintain a public CRL at:https://vault.akeyless.io/crl/<account-id>/<cert-issuer-display-id>
. -
create-private-crl
Optional, creates the CRL endpoint on the Gateway at:https://<gatewayURL>/crl/<cert-issuer-display-id>
. -
gw-cluster-url
Akeyless Gateway Configuration Manager URL (port 8000). Required for private CRL. -
expiration-event-in
: How many days before the expiration of the certificate would you like to be notified. To specify multiple events, use the argument multiple times: --expiration-event-in 30 --expiration-event-in 60 to get events 60 and 30 days in advance. -
allowed-extra-extensions
: Ajson
string that defines the allowed extra extensions for the PKI cert issuer, e.g.'{"1.2.3":["test"]}'
For additional optional parameters like allowed-domains
etc, please check the CLI Reference
Note
Automatically store issued certificate
Set the PKI Issuer item to automatically store any issued certificate with default expiration events to gain full automation of your PKI environments.
Creating a Certificate Signing Request
You can generate a Certificate Signing Request in Akeyless, with which, you will be able to issue a new certificate in Akeyless using the PKI Issuer.
It is possible to either use an existing Classic Key or create a new one.
Generate a new Certificate Signing Request:
akeyless generate-csr \
--name <name/of/new/Classic-Key> \
--generate-key \
--alg <RSA2048> \
--common-name <mydomain.com>
--gateway-url <https://Akeyless-Gateway-URL:8000>
Where:
name
: Full name of a new Classic Key that will be generated.generate-key
: Use this flag to generate a new classic key with the CSR.alg
: Algorithm to use for generating the new key supporting:RSA1024
,RSA2048
,RSA3072
,RSA4096
,EC256
,EC384
common-name
: Certificate common name.gateway-url
: Akeyless Gateway Configuration Manager URL (port8000
). to generate the classic key, relevant only when usinggenerate-key
option
You can find the complete list of parameters for this command in the CLI Reference
Issuing a Certificate
To issue and sign a new certificate, use the following command:
akeyless get-pki-certificate \
--cert-issuer-name <my_pki_cert_issuer> \
--csr-file-path ./mycsr.crt \
--outfile pki-certificate.pem
Where:
cert-issuer-name
: (Mandatory) The name of the PKI certificate issuercsr-file-path
: Path to the Certificate Signing Request file.outfile
: Output file path with the certificate. If not provided, the file with the certificate will be created in the same location as the provided public key with the -cert extension
Tip
You can provide the private key as well as part of the sign command for future certificate renewals using the
key-file-path
option.
You can find the complete list of parameters for this command in the CLI Reference.
Revoke a Certificate
To revoke an existing certificate run the following command:
akeyless revoke-certificate \
--name <certificate name>
Here you can provide a certificate full name, or use theitem-id
or the certificate serial-number
instead. In case a CRL (Certificate Revocation List) is maintained, the certificate will be added to the revocation list.
Note
In order to view the Certificate Revocation List, the PKI Cert Issuer's signing key must include the
cRLSign
extention.
Working with Certificates in the Console
Prerequisites
Creating a CA private key and root certificate to build your chain of trust:
-
Log in to the Akeyless Console, and go to Items > New > Encryption Key > DFC.
-
Define a Name of the key, and specify the Location as a path to the virtual folder where you want to create the new key, using slash
/
separators. If the folder does not exist, it will be created together with the key. -
Define the remaining parameters as follows:
-
Description: General description of the key (optional).
-
Tags: Assign tags to the key (optional).
-
Delete Protection: When enabled, protects the secret from accidental deletion.
-
Type: The encryption algorithm used for the key.
-
Customer Fragment: If you have an existing customer fragment, you may attach it to the key. If you wish to generate one, please refer to these instructions.
-
Generate-Self-Signed-Certificate: Enable this option to generate your root CA certificate as part of the key creation.
Creating a Certificate Issuer
-
Go to Items > New > PKI Cert Issuer
-
Define a Name of the cert issuer, and specify the Location as a path to the virtual folder where you want to create it, using slash
/
separators. If the folder does not exist, it will be created together with the cert issuer. -
Define the remaining parameters as follows:
-
Description: General description of the key (optional).
-
Tags: Assign tags to the key (optional).
-
Delete Protection: When enabled, protects the secret from accidental deletion.
-
Signer Key: The name of the signer key you defined in advance.
-
Certificate TTL: The time to the expiration of the certificate.
-
Allowed domains list: Specify the allowed domains for the certificates issued.
-
Allowed URI sans: Specify the allowed URI for the certificates issued.
- The description for the advanced and location parameters can be found here.
Issuing a Certificate
To issue a certificate using an existing PKI issuer through the console, go through the following steps:
-
Go to the folder in which your certificate issuer is located and select it.
-
Under the key details, you will see a button reading Generate PKI Certificate, tap it.
-
Fill in the public key (
PEM
format) or theCSR
. -
Tap generate, and if all parameters are valid, you will get a certificate.
Updated about 1 month ago