iagctl cert-gen | Itential

Generate certificates for secure communication between gateway nodes.

The iagctl cert-gen command generates TLS certificates for secure communication between gateway servers, clients, and runners. TLS secures data transmitted over the network, which is critical when handling sensitive information.

While Itential provides this utility for convenience, you can use any method to generate your certificates. For more information, see Create certificates.

Syntax

$ iagctl cert-gen <type> [flags]

Where <type> is one of: ca, server, client, or runner.

How cert-gen works

When you run cert-gen, it first creates a Certificate Authority (CA) certificate that signs the other certificates. Set the CA certificate at the application level using GATEWAY_APPLICATION_CA_CERTIFICATE_FILE.

When you generate server, client, or runner certificates, the command reads the ca.pem file from the current directory or from the directory you specify with the --output flag.

Examples

Generate a CA certificate

$ iagctl cert-gen ca \
> --output /path/to/output/dir \
> --country US \
> --locality "San Francisco" \
> --org "My Company" \
> --ou "IT Department" \
> --state California \
> --cn "My Company CA" \
> --expiry 730 \
> --key-algo rsa \
> --key-size 4096

Generate server certificates

$ iagctl cert-gen server \
> --output /path/to/output/dir \
> --country US \
> --locality "San Francisco" \
> --org "My Company" \
> --ou "IT Department" \
> --state California \
> --cn server.example.com \
> --name server1 \
> --sans "localhost,127.0.0.1" \
> --expiry 365 \
> --key-algo rsa \
> --key-size 2048

Generate client certificates

$ iagctl cert-gen client \
> --output /path/to/output/dir \
> --country US \
> --locality "San Francisco" \
> --org "My Company" \
> --ou "IT Department" \
> --state California \
> --cn client@example.com \
> --name client1 \
> --expiry 365 \
> --key-algo rsa \
> --key-size 2048

Generate runner certificates

$ iagctl cert-gen runner \
> --output /path/to/output/dir \
> --country US \
> --locality "San Francisco" \
> --org "My Company" \
> --ou "IT Department" \
> --state California \
> --cn runner.example.com \
> --name runner1 \
> --sans "localhost,127.0.0.1" \
> --expiry 365 \
> --key-algo rsa \
> --key-size 2048

Options

The following options apply to all certificate types.

$       --cn string         Common Name for the certificate
$       --country string    Country for the certificate (default "US")
$       --expiry int        Number of days until the certificate expires (default 365)
$   -h, --help              Help for cert-gen
$       --key-algo string   Key algorithm: rsa or ecdsa (default "rsa")
$       --key-size int      Key size in bits (default 2048)
$       --locality string   Locality for the certificate (default "Atlanta")
$       --name string       Name for the certificate files
$       --org string        Organization for the certificate (default "Automation")
$       --ou string         Organizational Unit for the certificate (default "Development")
$       --output string     Output directory for the certificates (default ".")
$       --sans strings      Subject Alternative Names for the certificate, comma-separated. Useful for server and runner certificates to specify additional valid hostnames or IP addresses.
$       --state string      State for the certificate (default "Georgia")

Options inherited from parent commands

$       --config string   Path to the configuration file
$       --raw             Display the result of the command in raw format
$       --verbose         Enable verbose output