README
¶
Manage certificates for Geneos Secure Communications.
You can import and manage your own certificates or create your own certificates with your own certificate authority (also known, incorrectly, as "self-signed" certificates).
Commands allow for initialisation, create and renewal of certificates as well as listing details and copying a certificate chain to all other hosts.
Once initialised then all new instances will also have certificates created and their configuration set to use secure (encrypted) connections where possible.
The root and signing certificates are only kept on the local server and the sync command can be used to copy a certificate chain file to remote servers. Keys, which should be kept secure, are never copied to remote servers by any commands.
-
geneos tls initInitialised the TLS environment by creating a
tlsdirectory in Geneos and populating it with a new root and intermediate (signing) certificate and keys as well as a certificate chain which includes both CA certificates. The keys are only readable by the user running the command. Also does asyncif remotes are configured.Any existing instances have certificates created and their configurations updated to reference them. This means that any legacy
.rcconfigurations will be migrated to.jsonfiles. -
geneos tls import FILE [FILE...]Import certificates and keys as specified to the
tlsdirectory as root or signing certificates and keys. If both certificate and key are in the same file then they are split into a certificate and key and the key file is permissioned so that it is only accessible to the user running the command.Root certificates are identified by the Subject being the same as the Issuer, everything else is treated as a signing key. If multiple certificates of the same type are imported then only the last one is saved. Keys are checked against certificates using the Public Key part of both and only complete pairs are saved.
-
geneos tls new [TYPE] [NAME...]Create a new certificate for matching instances, signed using the signing certificate and key. This will NOT overwrite an existing certificate and will re-use the private key if it exists. The default validity period is one year. This cannot currently be changed.
-
geneos tls renew [TYPE] [NAME...]Renew a certificate for matching instances. This will overwrite an existing certificate regardless of it's current status of validity period. Any existing private key will be re-used.
renewcan be used afterimportto create certificates for all instances, but if you already have specific instance certificates in place you should usenewabove. As fornewthe validity period is a year and cannot be changed at this time. -
geneos tls ls [-a] [-c|-j] [-i] [-l] [TYPE] [NAME...]List instance certificate information. Flags are similar as for the main
lscommand but the data shown is specific to certificates. Additional flags are:-
-aList all certificates. By default the root and signing certificates are not shown -
-lLong list format, which includes the Subject and Signature.This signature can be used directly in the Geneos Authentication entry for users for non-user authentication using client certificates, e.g. Gateway Sharing and Web Server.
-
-
geneos tls syncCopies certificate chain to all remotes
Documentation
Source Files