mtls renew certificate CLI command reference

Detailed information on the mtls renew certificate CLI command

Description

This command can be used to renew expiring Dapr certificates. For example the Dapr Sentry service can generate default root and issuer certificates used by applications. For more information see secure Dapr to Dapr communication

Supported platforms

Usage

  1. dapr mtls renew-certificate [flags]

Flags

NameEnvironment VariableDefaultDescription
—help, -hhelp for renew-certificate
—kubernetes, -kfalsesupprted platform
—valid-until365 daysValidity for newly created certificates
—restartfalseRestarts Dapr control plane services (Sentry service, Operator service and Placement server)
—timeout300 secThe timeout for the certificate renewal process
—ca-root-certificateFile path to user provided PEM root certificate
—issuer-public-certificateFile path to user provided PEM issuer certificate
—issuer-private-keyFile path to user provided PEM issue private key
—private-keyUser provided root.key file which is used to generate root certificate

Examples

Renew certificates by generating brand new certificates

Generates new root and issuer certificates for the Kubernetes cluster with a default validity of 365 days. The certificates are not applied to the Dapr control plane.

  1. dapr mtls renew-certificate -k

Generates new root and issuer certificates for the Kubernetes cluster with a default validity of 365 days and restarts the Dapr control plane services.

  1. dapr mtls renew-certificate -k --restart

Generates new root and issuer certificates for the Kubernetes cluster with a given validity time.

  1. dapr mtls renew-certificate -k --valid-until <no of days>

Generates new root and issuer certificates for the Kubernetes cluster with a given validity time and restarts the Dapr control plane services.

  1. dapr mtls renew-certificate -k --valid-until <no of days> --restart

Renew certificate by using user provided certificates

Rotates certificates for the Kubernetes cluster with the provided ca.pem, issuer.pem and issuer.key file paths and restarts the Dapr control plane services

  1. dapr mtls renew-certificate -k --ca-root-certificate <ca.pem> --issuer-private-key <issuer.key> --issuer-public-certificate <issuer.pem> --restart

Rotates certificates for the Kubernetes cluster with the provided ca.pem, issuer.pem and issuer.key file paths.

  1. dapr mtls renew-certificate -k --ca-root-certificate <ca.pem> --issuer-private-key <issuer.key> --issuer-public-certificate <issuer.pem>

Renew certificates by generating brand new certificates using the provided root private key

Uses existing private root.key to generate new root and issuer certificates for the Kubernetes cluster with a given validity time for created certs.

  1. dapr mtls renew-certificate -k --private-key myprivatekey.key --valid-until <no of days>

Uses the existing private root.key to generate new root and issuer certificates for the Kubernetes cluster.

  1. dapr mtls renew-certificate -k --private-key myprivatekey.key

Last modified June 19, 2023: Merge pull request #3565 from dapr/aacrawfi/skip-secrets-close (b1763bf)