SSH and PKI/TLS Certificates

Akeyless can act as a Certificate Authority (CA) for the internal environment.

To issue certificates from the Akeyless CA, you need to:

  1. Create or upload a CA private key and a CA certificate to sign the certificates.

🚧

IMPORTANT

If you create your CA Private Key in the Akeyless Console, make sure that it is a DFC key.

To create a CA private key, use the following command:

openssl genrsa 2048 > ca-key.pem

To create a CA signing certificate, you can use the following command:

openssl req -newkey rsa:2048 -nodes -keyout ca_key.pem -x509 -days 365 -out ca.pem

To upload a CA signing certificate to Akeyless, use the following command:

akeyless upload-rsa -n my_signing_key -p <Path\To\CAkey\ca_key.pem> -c <Path\To\CAcert\ca.pem> --alg RSA2048

A new RSA2048 key named my_signing_key was successfully uploaded
  1. Create a certificate issuer that defines the certificate template used to issue the certificates. Akeyless supports two types of certificates, SSH and TLS.

    • SSH Certificate Issuer: It enables you to issue short-lived SSH certificates per session for machine-to-machine and human-to-machine authentication.

To create an SSH Certificate Issuer, use the following command:

$ akeyless create-ssh-cert-issuer -n my_ssh_cert_issuer -s my_signing_key -a ubuntu -t 6000

The value of SSH certification MySSHCert was successfully created
-n, --name                      *SSH certificate issuer name
  -s, --signer-key-name           *A key to sign the certificate with
  -a, --allowed-users             *Users allowed to fetch the certificate, e.g root,ubuntu
  -p, --principals                 Signed certificates with principal, e.g example_role1,example_role2
  -x, --extensions                 Signed certificates with extensions, e.g permit-port-forwarding=""
  -t, --ttl                       *The requested Time To Live for the certificate, use second units
  -m, --metadata                   A metadata about the issuer
      --profile                    Use a specific profile from your akeyless/profiles/ folder
      --username                   Required only when the authentication process requires a username and password
      --password                   Required only when the authentication process requires a username and password
      --uid-token                  The universal identity token, Required only for universal_identity authentication
  -h, --help                       display help information
      --json[=false]               Set output format to JSON
      --no-creds-cleanup[=false]   Do not clean local temporary expired creds
  • PKI/TLS Certificate Issuer: It enables you to issue ephemeral TLS certificates to be used in your workloads and network resources whenever TLS encryption during data transit is required.

To create a PKI/TLS Certificate Issuer, use the following command:

akeyless create-pki-cert-issuer -n my_pki_cert_issuer -s my_signing_key --allowed-domains my.domain.name --key-usage DigitalSignature --ttl 86400

The value of PKI certification my_pki_cert_issuer was successfully created
-n, --name                                                       *PKI certificate issuer name
  -s, --signer-key-name                                            *A key to sign the certificate with
      --allowed-domains                                             A list of the allowed domains that clients can request to be included in the certificate (in a comma-delimited list)
      --allowed-uri-sans                                            A list of the allowed URIs that clients can request to be included in the certificate as part of the URI Subject Alternative Names (in a comma-delimited list)
      --allow-subdomains                                            If set, clients can request certificates for subdomains and wildcard subdomains of the allowed domains
      --not-enforce-hostnames                                       If set, any names are allowed for CN and SANs in the certificate and not only a valid host name
      --allow-any-name                                              If set, clients can request certificates for any CN
      --not-require-cn                                              If set, clients can request certificates without a CN
      --server-flag                                                 If set, certificates will be flagged for server auth use
      --client-flag                                                 If set, certificates will be flagged for client auth use
      --code-signing-flag                                           If set, certificates will be flagged for code signing use
      --key-usage[=DigitalSignature,KeyAgreement,KeyEncipherment]   A comma-separated string or list of key usages
      --organization-units                                          A comma-separated list of organizational units (OU) that will be set in the issued certificate
      --organizations                                               A comma-separated list of organizations (O) that will be set in the issued certificate
      --country                                                     A comma-separated list of the country that will be set in the issued certificate
      --locality                                                    A comma-separated list of the locality that will be set in the issued certificate
      --province                                                    A comma-separated list of the province that will be set in the issued certificate
      --street-address                                              A comma-separated list of the street address that will be set in the issued certificate
      --postal-code                                                 A comma-separated list of the postal code that will be set in the issued certificate
  -t, --ttl                                                        *The requested Time To Live for the certificate, use second units
  -m, --metadata                                                    A metadata about the issuer
      --profile                                                     Use a specific profile from your akeyless/profiles/ folder
      --username                                                    Required only when the authentication process requires a username and password
      --password                                                    Required only when the authentication process requires a username and password
      --uid-token                                                   The universal identity token, Required only for universal_identity authentication
  -h, --help                                                        display help information
      --json[=false]                                                Set output format to JSON
      --no-creds-cleanup[=false]                                    Do not clean local temporary expired creds
  1. Issue a new certificate using a Certificate Issuer.
  • To issue and sign a new SSH certificate, use the following command:
akeyless get-ssh-certificate -c my_ssh_cert_issuer -s allowed_users_username -p /Path/To/SSH/Public/Key -o ssh-certificate
  • To issue and sign a new PKI/TLS certificate, use the following command:
akeyless get-pki-certificate -c my_pki_cert_issuer -k /Path/To/Your/Private/Key --common-name my.domain.name -o pki-certificate.pem

Did this page help you?