cert-gen
Generate TLS certificates for CA, server, client, and runner
Synopsis
Cert-Gen
The cert-gen
command provides a flexible and comprehensive way to generate certificates for:
- Secure communication between a torero server and client
- Secure communication between torero server and runners
TLS ensures secure communication channels between the torero gRPC clients and servers.
Securing data transmitted over the network is crucial when dealing with sensitive information.
The cert-gen
command simplifies the process of generating and managing TLS certificates when
setting up torero servers. While this utility is provided for convenience, it's not
mandatory to use it for generating certificates used by torero and welcomed to use other
means within your environment.
Certificates can be configured on the torero server using the configuration variables:
TORERO_SERVER_PRIVATE_KEY_FILE
and TORERO_SERVER_CERTIFICATE_FILE
.
Similarly, torero client certificates can be configured via:
TORERO_CLIENT_PRIVATE_KEY_FILE
and TORERO_CLIENT_CERTIFICATE_FILE
.
Runners also require keys as they act as servers in distributed mode, configured using:
TORERO_RUNNER_PRIVATE_KEY_FILE
and TORERO_RUNNER_CERTIFICATE_FILE
.
A CA certificate is created when using this tool, which is used to sign the other certificates.
This is set at the application level using TORERO_APPLICATION_CA_CERTIFICATE_FILE
.
When generating server/client/runner certificates, the ca.pem
and ca-key.pem
files will be read
in the same directory as set by the --output
by default or whatever directory is overriden using
the --ca-certs-path
flag
The cert-gen
command offers extensive customization options, allowing you to specify details
such as country, locality, organization, organizational unit, state, common name, expiry period,
key algorithm, and key size for your certificates.
Examples
Generate CA Certificate
>_ torero cert-gen ca \
--output /path/to/output/dir \
--country US \
--locality "San Francisco" \
--org "My Company" \
--ou "IT Department" \
--state California \
--cn "My Company CA" \
--expiry 730 \
--key-algo rsa \
--key-size 4096
Generate Server Certificates
>_ torero cert-gen server \
--output /path/to/output/dir \
--country US \
--locality "San Francisco" \
--org "My Company" \
--ou "IT Department" \
--state California \
--cn server.example.com \
--name server1 \
--sans "localhost,127.0.0.1" \
--expiry 365 \
--key-algo rsa \
--key-size 2048
Generate Client Certificates
>_ torero cert-gen client \
--output /path/to/output/dir \
--country US \
--locality "San Francisco" \
--org "My Company" \
--ou "IT Department" \
--state California \
--cn [email protected] \
--name client1 \
--expiry 365 \
--key-algo rsa \
--key-size 2048
Generate Runner Certificates
>_ torero cert-gen runner \
--output /path/to/output/dir \
--country US \
--locality "San Francisco" \
--org "My Company" \
--ou "IT Department" \
--state California \
--cn runner.example.com \
--name runner1 \
--sans "localhost,127.0.0.1" \
--expiry 365 \
--key-algo rsa \
--key-size 2048
Command Options
The following options are available for all certificate types:
--country
: Country for the certificate (default "US")--locality
: Locality for the certificate (default "Atlanta")--org
: Organization for the certificate (default "Automation")--ou
: Organizational Unit for the certificate (default "Development")--state
: State for the certificate (default "Georgia")--cn
: Common Name for the certificate--expiry
: Number of days until the certificate expires (default 365)--key-algo
: Key algorithm (rsa, ecdsa) (default "rsa")--key-size
: Key size in bits (default 2048)--output
: Output directory for the certificates (default ".")--name
: Name for the certificate files--sans
: Subject Alternative Names (SANs) for the certificate (comma-separated)
Note: The --sans
option is particularly useful for server and runner certificates, allowing
you to specify additional hostnames or IP addresses that the certificate should be valid for.
These options provide granular control over the certificate generation process, allowing you to tailor the certificates to your specific needs and security requirements.
Options
-h, --help help for cert-gen
Options inherited from parent commands
--config string Path to the configuration file
--raw Displays the result of the command in its raw format
--verbose Enable verbose output
SEE ALSO
- torero - Welcome to torero
- torero cert-gen ca - Generate a Certificate Authority
- torero cert-gen client - Generate a client certificate
- torero cert-gen runner - Generate a runner certificate
- torero cert-gen server - Generate a server certificate