cert-gen
  • 29 Oct 2024
  • Dark
    Light
  • PDF

cert-gen

  • Dark
    Light
  • PDF

Article summary

iagctl cert-gen

Generate TLS certificates for CA, server, client, and runner

Synopsis

The cert-gen command provides a flexible and comprehensive way to generate certificates for:

  • Secure communication between a gateway server and client.
  • Secure communication between gateway server and runners.

TLS ensures secure communication channels between the gateway gRPC clients and servers. Securing data transmitted over the network is crucial when dealing with sensitive information. The cert-gen command simplifies the process of generating and managing TLS certificates when setting up gateway servers. While this utility is provided for convenience, it is not mandatory to use it for generating certificates used by gateway; users are welcomed to use other means within their environment.

  • Certificates can be configured on the gateway server using the configuration variables GATEWAY_SERVER_PRIVATE_KEY_FILE and GATEWAY_SERVER_CERTIFICATE_FILE.

  • Gateway client certificates can be configured via GATEWAY_CLIENT_PRIVATE_KEY_FILE
    and GATEWAY_CLIENT_CERTIFICATE_FILE.

  • Runners require keys to act as servers in distributed mode; they are configured using
    GATEWAY_RUNNER_PRIVATE_KEY_FILE and GATEWAY_RUNNER_CERTIFICATE_FILE.

A CA certificate is created when using this tool, which is used to sign the other certificates. This is set at the application level using GATEWAY_APPLICATION_CA_CERTIFICATE_FILE.

When generating server/client/runner certificates, the ca.pem file will be read in from the current directory or the --output flag if set.

The cert-gen command offers extensive customization options, allowing you to specify details such as country, locality, organization, organizational unit, state, common name, expiry period, key algorithm, and key size for your certificates.

Examples

Generate CA Certificate

>_ iagctl cert-gen ca \
--output /path/to/output/dir \
--country US \
--locality "San Francisco" \
--org "My Company" \
--ou "IT Department" \
--state California \
--cn "My Company CA" \
--expiry 730 \
--key-algo rsa \
--key-size 4096

Generate Server Certificates

>_ iagctl cert-gen server \
--output /path/to/output/dir \
--country US \
--locality "San Francisco" \
--org "My Company" \
--ou "IT Department" \
--state California \
--cn server.example.com \
--name server1 \
--sans "localhost,127.0.0.1" \
--expiry 365 \
--key-algo rsa \
--key-size 2048

Generate Client Certificates

>_ iagctl cert-gen client \
--output /path/to/output/dir \
--country US \
--locality "San Francisco" \
--org "My Company" \
--ou "IT Department" \
--state California \
--cn client@example.com \
--name client1 \
--expiry 365 \
--key-algo rsa \
--key-size 2048

Generate Runner Certificates

>_ iagctl cert-gen runner \
--output /path/to/output/dir \
--country US \
--locality "San Francisco" \
--org "My Company" \
--ou "IT Department" \
--state California \
--cn runner.example.com \
--name runner1 \
--sans "localhost,127.0.0.1" \
--expiry 365 \
--key-algo rsa \
--key-size 2048

Command Options

The following options are available for all certificate types.

Option Description Default
--country Country for the certificate. "US"
--locality Locality for the certificate. "Atlanta"
--org Organization for the certificate. "Automation"
--ou Organizational Unit for the certificate. "Development"
--state State for the certificate. "Georgia"
--cn Common Name for the certificate.
--expiry Number of days until the certificate expires. 365
--key-algo Key algorithm (rsa, ecdsa). rsa
--key-size Key size in bits. 2048
--output Output directory for the certificates. "."
--name Name for the certificate files.
--sans Subject Alternative Names (SANs) for the certificate (comma-separated).

The --sans option is particularly useful for server and runner certificates, allowing you to specify additional hostnames or IP addresses which are valid for the certificate.

Certificate Options

These options provide granular control over the certificate generation process, allowing you to tailor the certificates to your specific needs and security requirements.

      --cn string         Common Name for the certificate
      --country string    Country for the certificate (default "US")
      --expiry int        Number of days until the certificate expires (default 365)
  -h, --help              help for cert-gen
      --key-algo string   Key algorithm (rsa, ecdsa) (default "rsa")
      --key-size int      Key size in bits (default 2048)
      --locality string   Locality for the certificate (default "Atlanta")
      --name string       Name for the certificate files
      --org string        Organization for the certificate (default "Automation")
      --ou string         Organizational Unit for the certificate (default "Development")
      --output string     Output directory for the certificates (default ".")
      --sans strings      Subject Alternative Names (SANs) for the certificate
      --state string      State for the certificate (default "Georgia")

Options Inherited from Parent Commands

      --config string   Path to the configuration file
      --raw             Displays the result of the command in its raw format
      --verbose         Enable verbose output

CLI References

See related cert-gen commands:

For all CLI commands see → Command References Index


Was this article helpful?

What's Next
Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.