cert-gen
Generate TLS certificates for CA, server, client, and runner
Synopsis
Cert-Gen
The cert-gen
command provides a flexible and comprehensive way to generate certificates for:
- Secure communication between a torero server and client
- Secure communication between torero server and runners
TLS ensures secure communication channels between the torero gRPC clients and servers. Securing data transmitted over
the network is crucial when dealing with sensitive information. The cert-gen
command simplifies the process of generating
and managing TLS certificates when setting up torero servers. While this utility is provided for convenience, it's not
mandatory to use it for generating certificates used by torero and welcomed to use other means within your environment.
Certificates can be configured on the torero server using the configuration variables TORERO_SERVER_PRIVATE_KEY_FILE
and
TORERO_SERVER_CERTIFICATE_FILE
. Similarly, torero client certificates can be configured via TORERO_CLIENT_PRIVATE_KEY_FILE
and TORERO_CLIENT_CERTIFICATE_FILE
. Runners also require keys as they act as servers in distributed mode, configured using
TORERO_RUNNER_PRIVATE_KEY_FILE
and TORERO_RUNNER_CERTIFICATE_FILE
.
A CA certificate is created when using this tool, which is used to sign the other certificates. This is set at the application level
using TORERO_APPLICATION_CA_CERTIFICATE_FILE
.
When generating server/client/runner certificates, the ca.pem
file will be read in from the current directory or the
--output
flag if set.
The cert-gen
command offers extensive customization options, allowing you to specify details such as country, locality,
organization, organizational unit, state, common name, expiry period, key algorithm, and key size for your certificates.
Examples
Generate CA Certificate
>_ torero cert-gen ca \
--output /path/to/output/dir \
--country US \
--locality "San Francisco" \
--org "My Company" \
--ou "IT Department" \
--state California \
--cn "My Company CA" \
--expiry 730 \
--key-algo rsa \
--key-size 4096
Generate Server Certificates
>_ torero cert-gen server \
--output /path/to/output/dir \
--country US \
--locality "San Francisco" \
--org "My Company" \
--ou "IT Department" \
--state California \
--cn server.example.com \
--name server1 \
--sans "localhost,127.0.0.1" \
--expiry 365 \
--key-algo rsa \
--key-size 2048
Generate Client Certificates
>_ torero cert-gen client \
--output /path/to/output/dir \
--country US \
--locality "San Francisco" \
--org "My Company" \
--ou "IT Department" \
--state California \
--cn [email protected] \
--name client1 \
--expiry 365 \
--key-algo rsa \
--key-size 2048
Generate Runner Certificates
>_ torero cert-gen runner \
--output /path/to/output/dir \
--country US \
--locality "San Francisco" \
--org "My Company" \
--ou "IT Department" \
--state California \
--cn runner.example.com \
--name runner1 \
--sans "localhost,127.0.0.1" \
--expiry 365 \
--key-algo rsa \
--key-size 2048
Command Options
The following options are available for all certificate types:
--country
: Country for the certificate (default "US")--locality
: Locality for the certificate (default "Atlanta")--org
: Organization for the certificate (default "Automation")--ou
: Organizational Unit for the certificate (default "Development")--state
: State for the certificate (default "Georgia")--cn
: Common Name for the certificate--expiry
: Number of days until the certificate expires (default 365)--key-algo
: Key algorithm (rsa, ecdsa) (default "rsa")--key-size
: Key size in bits (default 2048)--output
: Output directory for the certificates (default ".")--name
: Name for the certificate files--sans
: Subject Alternative Names (SANs) for the certificate (comma-separated)
Note: The --sans
option is particularly useful for server and runner certificates, allowing you to specify additional hostnames or IP addresses that the certificate should be valid for.
These options provide granular control over the certificate generation process, allowing you to tailor the certificates to your specific needs and security requirements.
Options
--cn string Common Name for the certificate
--country string Country for the certificate (default "US")
--expiry int Number of days until the certificate expires (default 365)
-h, --help help for cert-gen
--key-algo string Key algorithm (rsa, ecdsa) (default "rsa")
--key-size int Key size in bits (default 2048)
--locality string Locality for the certificate (default "Atlanta")
--name string Name for the certificate files
--org string Organization for the certificate (default "Automation")
--ou string Organizational Unit for the certificate (default "Development")
--output string Output directory for the certificates (default ".")
--sans strings Subject Alternative Names (SANs) for the certificate
--state string State for the certificate (default "Georgia")
Options inherited from parent commands
--config string Path to the configuration file
--raw Displays the result of the command in its raw format
--verbose Enable verbose output
SEE ALSO
- torero - Welcome to torero
- torero cert-gen ca - Generate a Certificate Authority
- torero cert-gen client - Generate a client certificate
- torero cert-gen runner - Generate a runner certificate
- torero cert-gen server - Generate a server certificate