PKI/TLS Certificates

Introduction

Akeyless can act as a Certificate Authority (CA) for the internal environment. This page focuses on PKI/TLS certificates, if you wish to see how to create and work with SSH certificates, please follow this link.

Working with Certificates in the CLI

To start building your own chain of trust using Akeyless PKI Issuer, you can either bring your own CA certificate with the signing RSA key, or simply generate your CA certificate as part of the signing key creation.

In case you want to use your existing key, upload your RSA private key with the relevant certificate for signing the issued certificate based on your chain of trust, using the following command:

akeyless upload-rsa --name <RSA-key-name> \
--alg <RSA2048> \
--rsa-key-file-path <Path-to-RSA.pem> \
-c <Path-To- Cert>

Alternatively, you can create a new RSA key with a self-signed certificate:

akeyless create-dfc-key --name <RSA-key-name> \
--alg <RSA2048> \
--generate-self-signed-certificate true \
--certificate-ttl 365 \
--certificate-common-name AkeylessCA 

You can find the complete list of parameters for this command in the CLI-Reference-Encryption-Keys section.

👍

Tip

You can work with Classic Keys as well to generate a signing key with a self-signed certificate.

Creating a Certificate Issuer

A PKI Issuer enables you to issue ephemeral certificates for your workloads and network resources whenever TLS encryption during data transit is required. To create a PKI Issuer that defines the certificate template used to issue the certificates, use the following command and parameters:

The following command will create a new PKI Issuer in the Akeyless Platform with ancillary data.

akeyless create-pki-cert-issuer \
--name <my_pki_cert_issuer> \
--signer-key-name <RSA-key-name> \
--ttl 86400 \
--destination-path /path/to/store/issued/certificates \
--expiration-event-in 30

Where:

  • -n, --name: The name that will be assigned to the new Cert Issuer
  • -s, --signer-key-name: The CA private key which contains the root certificate to be used for certificate signing
  • -t, --ttl: The time (in seconds) to the expiration of the certificate
  • --destination-path: A path in Akeyless to save generated certificates, to work with automatic expiration events.
  • -e, --expiration-event-in: How many days before the expiration of the certificate would you like to be notified. To specify multiple events, use the argument multiple times: --expiration-event-in 30 --expiration-event-in 60 to get events 60 and 30 days in advance.

For additional optional parameters like flags, allowed domains, and others, please check the CLI Reference

👍

Automatically store issued certificate

Set the PKI Issuer item to automatically store any issued certificate with default expiration events to gain full automation of your PKI environments.

Creating a Certificate Signing Request

You can generate a Certificate Signing Request in Akeyless, with which, you will be able to issue a new certificate in Akeyless using the PKI Issuer.

It is possible to either use an existing Classic Key or create a new one.

Generate a new Certificate Signing Request:

akeyless generate-csr \
--name <path/to/Classic-Key> \
--generate-key
--alg <RSA1024> \
--common-name <common name to be included in the CSR certificate>

Where:

  • -n, --name: Full path to the Classic Key that will sign the CSR
  • -g, --generate-key: Use this flag to generate a new classic key to sign the CSR - A name must be specified for the new key
  • -a, --alg: Algorithm to use for generating the new key (RSA1024, RSA2048, RSA3072, RSA4096, EC256, EC384)
  • -c, --common-name: Common name to be included in the CSR certificate
  • --certificate-type: Certificate type to be included in the CSR certificate (ssl-client/ssl-server/certificate-signing)

For additional optional parameters like flags, certificate data, and others, please check the CLI Reference

Issuing a Certificate

  • To issue and sign a new PKI/TLS certificate, use the following command:
akeyless get-pki-certificate \
--cert-issuer-name <my_pki_cert_issuer> \
--key-file-path <path to public/private key> \
--csr-file-path <path to CSR file> \
--outfile pki-certificate.pem

Where:

  • -c, --cert-issuer-name: (Mandatory) The name of the PKI certificate issuer
  • -k, --key-file-path: The client public or private key (PEM format) file path (in case of a private key, it will be use to extract the public key)
  • --csr-file-path: Alternatively, you can use the path to the Certificate Signing Request file to generate the certificate with.
  • -o, --outfile: Output file path with the certificate. If not provided, the file with the certificate will be created in the same location as the provided public key with the -cert extension

for alternative and additional parameters, please go to the command reference.

Working with Certificates in the Console

Prerequisites

Creating a CA private key and root certificate to build your chain of trust:

  1. Log in to the Akeyless Console, and go to Secrets & Keys > New > Encryption Key > DFC.

  2. Define a Name of the key, and specify the Location as a path to the virtual folder where you want to create the new key, using slash / separators. If the folder does not exist, it will be created together with the key.

  3. Define the remaining parameters as follows:

  • Description: general description of the key (optional).

  • Tags: assign tags to the key (optional).

  • Delete Protection: When enabled, protects the secret from accidental deletion.

  • Type: The encryption algorithm used for the key.

  • Customer Fragment: If you have an existing customer fragment, you may attach it to the key. If you wish to generate one, please refer to these instructions.

  • Generate-Self-Signed-Certificate: Enable this option to generate your root CA certificate as part of the key creation.

Creating a Certificate Issuer

  1. Go to Secrets & Keys > New > PKI Cert Issuer

  2. Define a Name of the cert issuer, and specify the Location as a path to the virtual folder where you want to create it, using slash / separators. If the folder does not exist, it will be created together with the cert issuer.

  3. Define the remaining parameters as follows:

  • Description: General description of the key (optional).

  • Tags: Assign tags to the key (optional).

  • Delete Protection: When enabled, protects the secret from accidental deletion.

  • Signer Key: The name of the signer key you defined in advance.

  • Certificate TTL: The time to the expiration of the certificate.

  • Allowed domains list: Specify the allowed domains for the certificates issued.

  • Allowed URI sans: Specify the allowed URI for the certificates issued.

  1. The description for the advanced and location parameters can be found here.

Issuing a Certificate

In order to issue an TLS certificate using an existing PKI issuer through the console, go through the following steps:

  1. Go to the folder in which your certificate issuer is located and select it.

  2. Under the key details, you will see a button reading Generate PKI Certificate, tap it.

  3. Fill in the public key (PEM format), which can be either copied in or uploaded from file.

  4. Tap generate, and if all parameters are valid, you will get a certificate.


What’s Next