PKI/TLS Certificates

Introduction

Akeyless can act as a Certificate Authority (CA) for the internal environment. This page focuses on PKI/TLS certificates, if you wish to see how to create and work with SSH certificates, please follow this link

Working with Certificates in the CLI

Prerequisites

  1. Create or upload a CA private key and a CA certificate to sign the certificates.

🚧

Note

If you create your CA Private Key in the Akeyless Console, make sure that it is a DFC key.

In order to configure a CA, you will first need an RSA key to match. You can either use an existing key or create a new one. Once you are logged in to your Akeyless account on the desired server, proceed to one of the following:

In case you want to use an existing key, upload your CA (RSA private key) for signing the client TLS certificate, using the following command:

akeyless upload-rsa --name <your-RSA-key-name> --alg <RSA2048> --rsa-key-file-path <Path-to-RSA.pem>

Alternatively, you can create a new RSA key in Akeyless Platform:

akeyless create-key --name <your-RSA-key-name> --alg <RSA2048>

After you have the desired key on the server, display your key using the following command:

akeyless get-rsa-public --name <your-RSA-key-name>

The output should look like this:

- RAW: MIIBIjANBgkqhkiG9w0BAQEFAAOCOA89zPvRJc7VWRu72wR9muOdHX3vP7bscR+fGgKuOn1XPXBPjsOmo
- SSH: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABzfIqG4wUJFTWCemKV5Z0blvxzUuZnkWUHRdSnowxXyANqQcZ
- PEM: -----BEGIN RSA PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8w0BAQEFAAOCAQAQdfIsN7oV4BZdlj9PT8
WgAaZ+XdAcQeElmSEgetlQ3INYfdUzOEwroj4RlscYhKPeF730gkVv502+LCLeC3
53jYUnUvYUnUnm33Sa/uY31iXrMKQcP6QJ2IauY31iXrMKQcP6QJ2IauY31iXrMK
l4BfQzeHV23YLvCLDRVB5YxXHogQ00IDGjYFPbp3KuYVqIZiDcTdmQ0HsHE28bQe
-----END RSA PUBLIC KEY-----

Creating a Certificate Issuer:

A PKI/TLS Certificate Issuer (CI) enables you to issue ephemeral TLS certificates for your workloads and network resources whenever TLS encryption during data transit is required.To create a CI that defines the certificate template used to issue the TLS certificates, use the following command and parameters:
The following command will create a new PKI Issuer in the Akeyless Platform with ancillary data.

  • -n, --name: The name that will be assigned to the new Cert Issuer
  • -s, --signer-key-name: The private key to be used for certificate signing
  • -t, --ttl: The time (in seconds) to the expiration of the certificate

For additional optional parameters like flags, allowed domains, and others, please check the CLI Reference

akeyless create-pki-cert-issuer -n <my_pki_cert_issuer> -s <your-RSA-key-name> --ttl 86400

Issuing a Certificate:

  • To issue and sign a new PKI/TLS certificate, use the following command:
akeyless get-pki-certificate -c <my_pki_cert_issuer> -k <path to public/private key> -o pki-certificate.pem

The main parameters are:

  • -c, --cert-issuer-name: (Mandatory) The name of the PKI certificate issuer
  • -k, --key-file-path: The client public or private key (PEM format) file path (in case of a private key, it will be use to extract the public key)
  • --csr-file-path: Alternatively, you can use the path to the Certificate Signing Request file to generate the certificate with.
  • -o, --outfile: Output file path with the certificate. If not provided, the file with the certificate will be created in the same location as the provided public key with the -cert extension

for alternative and additional parameters, please go to the command reference.

Working with Certificates in the Console

Prerequisites

Creating a CA private key to sign the certificates:

  1. Log in to the Akeyless Console, and go to Secrets & Keys > New > Encryption Key>DFC.

  2. Define a Name of the key, and specify the Location as a path to the virtual folder where you want to create the new key, using slash / separators. If the folder does not exist, it will be created together with the key.

  3. Define the remaining parameters as follows:

  • Description: general description of the key (optional).

  • Tags: assign tags to the key (optional).

  • Delete Protection: When enabled, protects the secret from accidental deletion.

  • Type: The encryption algorithm used for the key.

  • Customer Fragment: If you have an existing customer fragment, you may attach it to the key. If you wish to generate one, please refer to these instructions.

Creating a Certificate Issuer

  1. Go to Secrets & Keys > New > PKI Cert Issuer

  2. Define a Name of the cert issuer, and specify the Location as a path to the virtual folder where you want to create it, using slash / separators. If the folder does not exist, it will be created together with the cert issuer.

  3. Define the remaining parameters as follows:

  • Description: General description of the key (optional).

  • Tags: Assign tags to the key (optional).

  • Delete Protection: When enabled, protects the secret from accidental deletion.

  • Signer Key: The name of the linked key you defined in advance and used in steps 4-5.

  • Certificate Lifetime in Seconds: The time (in seconds) to the expiration of the certificate.

  • Allowed domains list: Specify the allowed domains for the certificates issued.

  • Allowed URI sans: Specify the allowed URI for the certificates issued.

  1. The description for the advanced and location parameters can be found here.

Issuing a Certificate

In order to issue an TLS certificate using an existing PKI issuer through the console, go through the following steps:

  1. Go to the folder in which your certificate issuer is located and select it.

  2. Under the key details, you will see a button reading Generate PKI Certificate, tap it.

  3. Fill in the public key (PEM format), which can be either copied in or uploaded from file.

  4. Tap generate, and if all parameters are valid, you will get a certificate.


What’s Next