cert-gen

Generate TLS certificates for CA, server, client, and runner

Synopsis

Cert-Gen The cert-gen command provides a flexible and comprehensive way to generate certificates for:

• Secure communication between a torero server and client
• Secure communication between torero server and runners

TLS ensures secure communication channels between the torero gRPC clients and servers. Securing data transmitted over the network is crucial when dealing with sensitive information. The cert-gen command simplifies the process of generating and managing TLS certificates when setting up torero servers. While this utility is provided for convenience, it's not mandatory to use it for generating certificates used by torero and welcomed to use other means within your environment.

Certificates can be configured on the torero server using the configuration variables TORERO_SERVER_PRIVATE_KEY_FILE and TORERO_SERVER_CERTIFICATE_FILE. Similarly, torero client certificates can be configured via TORERO_CLIENT_PRIVATE_KEY_FILE and TORERO_CLIENT_CERTIFICATE_FILE. Runners also require keys as they act as servers in distributed mode, configured using TORERO_RUNNER_PRIVATE_KEY_FILE and TORERO_RUNNER_CERTIFICATE_FILE.

A CA certificate is created when using this tool, which is used to sign the other certificates. This is set at the application level using TORERO_APPLICATION_CA_CERTIFICATE_FILE.

When generating server/client/runner certificates, the ca.pem file will be read in from the current directory or the --output flag if set.

The cert-gen command offers extensive customization options, allowing you to specify details such as country, locality, organization, organizational unit, state, common name, expiry period, key algorithm, and key size for your certificates.

Examples

Generate CA Certificate

>_ torero cert-gen ca \
--output /path/to/output/dir \
--country US \
--locality "San Francisco" \
--org "My Company" \
--ou "IT Department" \
--state California \
--cn "My Company CA" \
--expiry 730 \
--key-algo rsa \
--key-size 4096

Generate Server Certificates

>_ torero cert-gen server \
--output /path/to/output/dir \
--country US \
--locality "San Francisco" \
--org "My Company" \
--ou "IT Department" \
--state California \
--cn server.example.com \
--name server1 \
--sans "localhost,127.0.0.1" \
--expiry 365 \
--key-algo rsa \
--key-size 2048

Generate Client Certificates

>_ torero cert-gen client \
--output /path/to/output/dir \
--country US \
--locality "San Francisco" \
--org "My Company" \
--ou "IT Department" \
--state California \
--cn [email protected] \
--name client1 \
--expiry 365 \
--key-algo rsa \
--key-size 2048

Generate Runner Certificates

>_ torero cert-gen runner \
--output /path/to/output/dir \
--country US \
--locality "San Francisco" \
--org "My Company" \
--ou "IT Department" \
--state California \
--cn runner.example.com \
--name runner1 \
--sans "localhost,127.0.0.1" \
--expiry 365 \
--key-algo rsa \
--key-size 2048

Command Options

The following options are available for all certificate types:

• --country: Country for the certificate (default "US")
• --locality: Locality for the certificate (default "Atlanta")
• --org: Organization for the certificate (default "Automation")
• --ou: Organizational Unit for the certificate (default "Development")
• --state: State for the certificate (default "Georgia")
• --cn: Common Name for the certificate
• --expiry: Number of days until the certificate expires (default 365)
• --key-algo: Key algorithm (rsa, ecdsa) (default "rsa")
• --key-size: Key size in bits (default 2048)
• --output: Output directory for the certificates (default ".")
• --name: Name for the certificate files
• --sans: Subject Alternative Names (SANs) for the certificate (comma-separated)

Note: The --sans option is particularly useful for server and runner certificates, allowing you to specify additional hostnames or IP addresses that the certificate should be valid for.

These options provide granular control over the certificate generation process, allowing you to tailor the certificates to your specific needs and security requirements.

Options

      --cn string         Common Name for the certificate
      --country string    Country for the certificate (default "US")
      --expiry int        Number of days until the certificate expires (default 365)
  -h, --help              help for cert-gen
      --key-algo string   Key algorithm (rsa, ecdsa) (default "rsa")
      --key-size int      Key size in bits (default 2048)
      --locality string   Locality for the certificate (default "Atlanta")
      --name string       Name for the certificate files
      --org string        Organization for the certificate (default "Automation")
      --ou string         Organizational Unit for the certificate (default "Development")
      --output string     Output directory for the certificates (default ".")
      --sans strings      Subject Alternative Names (SANs) for the certificate
      --state string      State for the certificate (default "Georgia")

Options inherited from parent commands

      --config string   Path to the configuration file
      --raw             Displays the result of the command in its raw format
      --verbose         Enable verbose output

SEE ALSO

• torero - Welcome to torero
• torero cert-gen ca - Generate a Certificate Authority
• torero cert-gen client - Generate a client certificate
• torero cert-gen runner - Generate a runner certificate
• torero cert-gen server - Generate a server certificate