Login
Contents x
iagctl cert-gen
  • 06 Jun 2025
  • Dark
    Light
  • PDF
Contents

iagctl cert-gen

  • Updated on 06 Jun 2025
  • Dark
    Light
  • PDF
Article summary

The cert-gen command provides a flexible way to generate certificates for:

  • Secure communication between a gateway server and client.
  • Secure communication between gateway server and runners.

TLS ensures secure communication channels between the gateway gRPC clients and servers. Securing data transmitted over the network is crucial when dealing with sensitive information. The cert-gen command simplifies the process of generating and managing TLS certificates when you set up gateway servers.

While Itential provides this utility for convenience, you don't have to use it to generate your certificates.

  • You can configure certificates on the gateway server using the configuration variables GATEWAY_SERVER_PRIVATE_KEY_FILE and GATEWAY_SERVER_CERTIFICATE_FILE.

  • You can configure gateway client certificates using GATEWAY_CLIENT_PRIVATE_KEY_FILE
    and GATEWAY_CLIENT_CERTIFICATE_FILE.

  • Runners require keys to act as servers in distributed mode. You can configure them using
    GATEWAY_RUNNER_PRIVATE_KEY_FILE and GATEWAY_RUNNER_CERTIFICATE_FILE.

When you use cert-gen, it creates a Certificate Authority (CA) certificate that signs the other certificates. You set this at the application level using GATEWAY_APPLICATION_CA_CERTIFICATE_FILE.

When generating server, client, or runner certificates, the system reads the ca.pem file from the current directory or from the --output flag if you set it.

The cert-gen command offers extensive customization options. You can allowing specify details such as country, locality, organization, organizational unit, state, common name, expiry period, key algorithm, and key size for your certificates.

Examples

Generate CA certificate

iagctl cert-gen ca \
--output /path/to/output/dir \
--country US \
--locality "San Francisco" \
--org "My Company" \
--ou "IT Department" \
--state California \
--cn "My Company CA" \
--expiry 730 \
--key-algo rsa \
--key-size 4096

Generate server certificates

iagctl cert-gen server \
--output /path/to/output/dir \
--country US \
--locality "San Francisco" \
--org "My Company" \
--ou "IT Department" \
--state California \
--cn server.example.com \
--name server1 \
--sans "localhost,127.0.0.1" \
--expiry 365 \
--key-algo rsa \
--key-size 2048

Generate client certificates

iagctl cert-gen client \
--output /path/to/output/dir \
--country US \
--locality "San Francisco" \
--org "My Company" \
--ou "IT Department" \
--state California \
--cn client@example.com \
--name client1 \
--expiry 365 \
--key-algo rsa \
--key-size 2048

Generate runner certificates

iagctl cert-gen runner \
--output /path/to/output/dir \
--country US \
--locality "San Francisco" \
--org "My Company" \
--ou "IT Department" \
--state California \
--cn runner.example.com \
--name runner1 \
--sans "localhost,127.0.0.1" \
--expiry 365 \
--key-algo rsa \
--key-size 2048

Command options

The following options are available for all certificate types.

Option Description Default
--country Country for the certificate. "US"
--locality Locality for the certificate. "Atlanta"
--org Organization for the certificate. "Automation"
--ou Organizational Unit for the certificate. "Development"
--state State for the certificate. "Georgia"
--cn Common Name for the certificate.
--expiry Number of days until the certificate expires. 365
--key-algo Key algorithm (rsa, ecdsa). rsa
--key-size Key size in bits. 2048
--output Output directory for the certificates. "."
--name Name for the certificate files.
--sans Subject Alternative Names (SANs) for the certificate (comma-separated).

The --sans option is particularly useful for server and runner certificates, allowing you to specify additional hostnames or IP addresses which are valid for the certificate.

Certificate options

These options provide granular control over the certificate generation process, allowing you to tailor the certificates to your specific needs and security requirements.

      --cn string         Common Name for the certificate
      --country string    Country for the certificate (default "US")
      --expiry int        Number of days until the certificate expires (default 365)
  -h, --help              help for cert-gen
      --key-algo string   Key algorithm (rsa, ecdsa) (default "rsa")
      --key-size int      Key size in bits (default 2048)
      --locality string   Locality for the certificate (default "Atlanta")
      --name string       Name for the certificate files
      --org string        Organization for the certificate (default "Automation")
      --ou string         Organizational Unit for the certificate (default "Development")
      --output string     Output directory for the certificates (default ".")
      --sans strings      Subject Alternative Names (SANs) for the certificate
      --state string      State for the certificate (default "Georgia")

Options inherited from parent commands

      --config string   Path to the configuration file
      --raw             Displays the result of the command in its raw format
      --verbose         Enable verbose output

Learn more

Was this article helpful?
What's Next
Privacy Policy
Cookie Policy
Terms of Use
EULA
Copyright © 2025 Itential for Developers
Change password!
Changing your password will log you out immediately. Use the new password to log back in.
Change profile
Success!
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.
Logout