The Akeyless Dev Hub

If you're looking for help with the only zero-trust, SaaS, unified platform for secrets management - you've come to the right place.

This is our documentation and updates center.

Documentation

SSH and PKI/TLS Certificates

Akeyless acts as a Certificate Authority (CA) for the internal environment.

To issue certificates from the Akeyless CA, you need to:

  1. Create or upload a CA Private Key, an RSA Encryption Key used to sign the certificates.
akeyless upload-rsa -n MyRSAKeyCA -a RSA2048 -p <Path\To\Your\Local\Key>

A new RSA2048 key named MyRSAKeyCA was successfully uploaded
  1. Create a certificate issuer, which defines the certificate template used to issue the certificates. Akeyless supports two types of certificates, SSH and TLS.

    • SSH Certificate Issuer: Enables you to issue short-lived SSH certificates per session for machine-to-machine and human-to-machine authentication.
$ akeyless create-ssh-cert-issuer -n MySSHCert -s MyRSAKey -a ubuntu -t 6000

The value of SSH certification MySSHCert was successfully created
-n, --name                      *SSH certificate issuer name
  -s, --signer-key-name           *A key to sign the certificate with
  -a, --allowed-users             *Users allowed to fetch the certificate, e.g root,ubuntu
  -p, --principals                 Signed certificates with principal, e.g example_role1,example_role2
  -x, --extensions                 Signed certificates with extensions, e.g permit-port-forwarding=""
  -t, --ttl                       *The requested Time To Live for the certificate, use second units
  -m, --metadata                   A metadata about the issuer
      --profile                    Use a specific profile from your akeyless/profiles/ folder
      --username                   Required only when the authentication process requires a username and password
      --password                   Required only when the authentication process requires a username and password
      --uid-token                  The universal identity token, Required only for universal_identity authentication
  -h, --help                       display help information
      --json[=false]               Set output format to JSON
      --no-creds-cleanup[=false]   Do not clean local temporary expired creds
  • PKI/TLS Certificate Issuer: Enables you to issue ephemeral TLS certificates to be used in your workloads and network resources whenever TLS encryption during data transit is required.
$ akeyless create-pki-cert-issuer -n MyPKICert -s MyRSAKey -t 6000

The c of PKI certification MyPKICert was successfully created
-n, --name                                                       *PKI certificate issuer name
  -s, --signer-key-name                                            *A key to sign the certificate with
      --allowed-domains                                             A list of the allowed domains that clients can request to be included in the certificate (in a comma-delimited list)
      --allowed-uri-sans                                            A list of the allowed URIs that clients can request to be included in the certificate as part of the URI Subject Alternative Names (in a comma-delimited list)
      --allow-subdomains                                            If set, clients can request certificates for subdomains and wildcard subdomains of the allowed domains
      --not-enforce-hostnames                                       If set, any names are allowed for CN and SANs in the certificate and not only a valid host name
      --allow-any-name                                              If set, clients can request certificates for any CN
      --not-require-cn                                              If set, clients can request certificates without a CN
      --server-flag                                                 If set, certificates will be flagged for server auth use
      --client-flag                                                 If set, certificates will be flagged for client auth use
      --code-signing-flag                                           If set, certificates will be flagged for code signing use
      --key-usage[=DigitalSignature,KeyAgreement,KeyEncipherment]   A comma-separated string or list of key usages
      --organization-units                                          A comma-separated list of organizational units (OU) that will be set in the issued certificate
      --organizations                                               A comma-separated list of organizations (O) that will be set in the issued certificate
      --country                                                     A comma-separated list of the country that will be set in the issued certificate
      --locality                                                    A comma-separated list of the locality that will be set in the issued certificate
      --province                                                    A comma-separated list of the province that will be set in the issued certificate
      --street-address                                              A comma-separated list of the street address that will be set in the issued certificate
      --postal-code                                                 A comma-separated list of the postal code that will be set in the issued certificate
  -t, --ttl                                                        *The requested Time To Live for the certificate, use second units
  -m, --metadata                                                    A metadata about the issuer
      --profile                                                     Use a specific profile from your akeyless/profiles/ folder
      --username                                                    Required only when the authentication process requires a username and password
      --password                                                    Required only when the authentication process requires a username and password
      --uid-token                                                   The universal identity token, Required only for universal_identity authentication
  -h, --help                                                        display help information
      --json[=false]                                                Set output format to JSON
      --no-creds-cleanup[=false]                                    Do not clean local temporary expired creds

Updated 6 months ago

SSH and PKI/TLS Certificates


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.