- 29 Oct 2024
-
DarkLight
-
PDF
cert-gen
- Updated on 29 Oct 2024
-
DarkLight
-
PDF
iagctl cert-gen
Generate TLS certificates for CA, server, client, and runner
Synopsis
The cert-gen
command provides a flexible and comprehensive way to generate certificates for:
- Secure communication between a
gateway
server and client. - Secure communication between
gateway
server and runners.
TLS ensures secure communication channels between the gateway gRPC clients and servers. Securing data transmitted over the network is crucial when dealing with sensitive information. The cert-gen
command simplifies the process of generating and managing TLS certificates when setting up gateway servers. While this utility is provided for convenience, it is not mandatory to use it for generating certificates used by gateway; users are welcomed to use other means within their environment.
-
Certificates can be configured on the gateway server using the configuration variables
GATEWAY_SERVER_PRIVATE_KEY_FILE
andGATEWAY_SERVER_CERTIFICATE_FILE
. -
Gateway client certificates can be configured via
GATEWAY_CLIENT_PRIVATE_KEY_FILE
andGATEWAY_CLIENT_CERTIFICATE_FILE
. -
Runners require keys to act as servers in distributed mode; they are configured using
GATEWAY_RUNNER_PRIVATE_KEY_FILE
andGATEWAY_RUNNER_CERTIFICATE_FILE
.
A CA certificate is created when using this tool, which is used to sign the other certificates. This is set at the application level using GATEWAY_APPLICATION_CA_CERTIFICATE_FILE
.
When generating server/client/runner certificates, the ca.pem
file will be read in from the current directory or the --output
flag if set.
The cert-gen
command offers extensive customization options, allowing you to specify details such as country, locality, organization, organizational unit, state, common name, expiry period, key algorithm, and key size for your certificates.
Examples
Generate CA Certificate
>_ iagctl cert-gen ca \
--output /path/to/output/dir \
--country US \
--locality "San Francisco" \
--org "My Company" \
--ou "IT Department" \
--state California \
--cn "My Company CA" \
--expiry 730 \
--key-algo rsa \
--key-size 4096
Generate Server Certificates
>_ iagctl cert-gen server \
--output /path/to/output/dir \
--country US \
--locality "San Francisco" \
--org "My Company" \
--ou "IT Department" \
--state California \
--cn server.example.com \
--name server1 \
--sans "localhost,127.0.0.1" \
--expiry 365 \
--key-algo rsa \
--key-size 2048
Generate Client Certificates
>_ iagctl cert-gen client \
--output /path/to/output/dir \
--country US \
--locality "San Francisco" \
--org "My Company" \
--ou "IT Department" \
--state California \
--cn client@example.com \
--name client1 \
--expiry 365 \
--key-algo rsa \
--key-size 2048
Generate Runner Certificates
>_ iagctl cert-gen runner \
--output /path/to/output/dir \
--country US \
--locality "San Francisco" \
--org "My Company" \
--ou "IT Department" \
--state California \
--cn runner.example.com \
--name runner1 \
--sans "localhost,127.0.0.1" \
--expiry 365 \
--key-algo rsa \
--key-size 2048
Command Options
The following options are available for all certificate types.
Option | Description | Default |
---|---|---|
--country |
Country for the certificate. | "US" |
--locality |
Locality for the certificate. | "Atlanta" |
--org |
Organization for the certificate. | "Automation" |
--ou |
Organizational Unit for the certificate. | "Development" |
--state |
State for the certificate. | "Georgia" |
--cn |
Common Name for the certificate. | |
--expiry |
Number of days until the certificate expires. | 365 |
--key-algo |
Key algorithm (rsa , ecdsa ). |
rsa |
--key-size |
Key size in bits. | 2048 |
--output |
Output directory for the certificates. | "." |
--name |
Name for the certificate files. | |
--sans |
Subject Alternative Names (SANs) for the certificate (comma-separated). |
The --sans
option is particularly useful for server and runner certificates, allowing you to specify additional hostnames or IP addresses which are valid for the certificate.
Certificate Options
These options provide granular control over the certificate generation process, allowing you to tailor the certificates to your specific needs and security requirements.
--cn string Common Name for the certificate
--country string Country for the certificate (default "US")
--expiry int Number of days until the certificate expires (default 365)
-h, --help help for cert-gen
--key-algo string Key algorithm (rsa, ecdsa) (default "rsa")
--key-size int Key size in bits (default 2048)
--locality string Locality for the certificate (default "Atlanta")
--name string Name for the certificate files
--org string Organization for the certificate (default "Automation")
--ou string Organizational Unit for the certificate (default "Development")
--output string Output directory for the certificates (default ".")
--sans strings Subject Alternative Names (SANs) for the certificate
--state string State for the certificate (default "Georgia")
Options Inherited from Parent Commands
--config string Path to the configuration file
--raw Displays the result of the command in its raw format
--verbose Enable verbose output
CLI References
See related cert-gen
commands:
For all CLI commands see → Command References Index