This is the multi-page printable view of this section.
Click here to print.
Return to the regular view of this page.
mtls CLI command reference
Detailed information on the mtls CLI command
Description
Check if mTLS is enabled.
Usage
dapr mtls [flags]
dapr mtls [command]
Flags
| Name |
Environment Variable |
Default |
Description |
--help, -h |
|
|
Print this help message |
--kubernetes, -k |
|
false |
Check if mTLS is enabled in a Kubernetes cluster |
Available Commands
expiry Checks the expiry of the root Certificate Authority (CA) certificate
export Export the root Certificate Authority (CA), issuer cert and issuer key to local files
renew-certificate Rotates the existing root Certificate Authority (CA), issuer cert and issuer key
Command Reference
You can learn more about each sub command from the links below.
Examples
# Check if mTLS is enabled on the Kubernetes cluster
dapr mtls -k
Warning messages
This command can issue warning messages.
Root certificate renewal warning
If the mtls root certificate deployed to the Kubernetes cluster expires in under 30 days the following warning message is displayed:
Dapr root certificate of your Kubernetes cluster expires in <n> days. Expiry date: <date:time> UTC.
Please see docs.dapr.io for certificate renewal instructions to avoid service interruptions.
1 - mtls export CLI command reference
Detailed information on the mtls export CLI command
Description
Export the root Certificate Authority (CA), issuer cert and issuer key to local files
Usage
Flags
| Name |
Environment Variable |
Default |
Description |
--help, -h |
|
|
help for export |
--out, -o |
|
current directory |
The output directory path to save the certs |
Examples
# Check expiry of Kubernetes certs
dapr mtls export -o ./certs
Warning messages
This command can issue warning messages.
Root certificate renewal warning
If the mtls root certificate deployed to the Kubernetes cluster expires in under 30 days the following warning message is displayed:
Dapr root certificate of your Kubernetes cluster expires in <n> days. Expiry date: <date:time> UTC.
Please see docs.dapr.io for certificate renewal instructions to avoid service interruptions.
2 - mtls expiry CLI command reference
Detailed information on the mtls expiry CLI command
Description
Checks the expiry of the root Certificate Authority (CA) certificate
Usage
Flags
| Name |
Environment Variable |
Default |
Description |
--help, -h |
|
|
help for expiry |
Examples
# Check expiry of Kubernetes certs
dapr mtls expiry
3 - mtls renew certificate CLI command reference
Detailed information on the mtls renew certificate CLI command
Description
This command can be used to renew expiring Dapr certificates. For example the Dapr Sentry service can generate default root and issuer certificates used by applications. For more information see secure Dapr to Dapr communication
Usage
dapr mtls renew-certificate [flags]
Flags
| Name |
Environment Variable |
Default |
Description |
--help, -h |
|
|
help for renew-certificate |
--kubernetes, -k |
|
false |
supported platform |
--valid-until |
|
365 days |
Validity for newly created certificates |
--restart |
|
false |
Restarts Dapr control plane services (Sentry service, Operator service and Placement server) |
--timeout |
|
300 sec |
The timeout for the certificate renewal process |
--ca-root-certificate |
|
|
File path to user provided PEM root certificate |
--issuer-public-certificate |
|
|
File path to user provided PEM issuer certificate |
--issuer-private-key |
|
|
File path to user provided PEM issue private key |
--private-key |
|
|
User provided root.key file which is used to generate root certificate |
Examples
Renew certificates by generating brand new certificates
Generates new root and issuer certificates for the Kubernetes cluster with a default validity of 365 days. The certificates are not applied to the Dapr control plane.
dapr mtls renew-certificate -k
Generates new root and issuer certificates for the Kubernetes cluster with a default validity of 365 days and restarts the Dapr control plane services.
dapr mtls renew-certificate -k --restart
Generates new root and issuer certificates for the Kubernetes cluster with a given validity time.
dapr mtls renew-certificate -k --valid-until <no of days>
Generates new root and issuer certificates for the Kubernetes cluster with a given validity time and restarts the Dapr control plane services.
dapr mtls renew-certificate -k --valid-until <no of days> --restart
Renew certificate by using user provided certificates
Rotates certificates for the Kubernetes cluster with the provided ca.pem, issuer.pem and issuer.key file paths and restarts the Dapr control plane services
dapr mtls renew-certificate -k --ca-root-certificate <ca.pem> --issuer-private-key <issuer.key> --issuer-public-certificate <issuer.pem> --restart
Rotates certificates for the Kubernetes cluster with the provided ca.pem, issuer.pem and issuer.key file paths.
dapr mtls renew-certificate -k --ca-root-certificate <ca.pem> --issuer-private-key <issuer.key> --issuer-public-certificate <issuer.pem>
Renew certificates by generating brand new certificates using the provided root private key
Uses existing private root.key to generate new root and issuer certificates for the Kubernetes cluster with a given validity time for created certs.
dapr mtls renew-certificate -k --private-key myprivatekey.key --valid-until <no of days>
Uses the existing private root.key to generate new root and issuer certificates for the Kubernetes cluster.
dapr mtls renew-certificate -k --private-key myprivatekey.key