Documentation
Solutions Guide

Certificate Management

Automated certificate lifecycle management. Issue, renew, and revoke certificates with a built-in certificate authority.

Estimated time: 20 minutes

Supported Certificate Types

TLS/SSL certificates
SSH host certificates
SSH user certificates
Database certificates
Kubernetes certificates
mTLS service certificates

Configuration Steps

1

Configure Certificate Authority

Set up the built-in certificate authority.

tacctl create -f - <<EOF
kind: cert_authority
metadata:
  name: host-ca
spec:
  type: host
  cluster_name: company-cluster
  key_type: ecdsa-sha2-nistp256
  rotation_period: 8760h  # 1 year
  grace_period: 720h      # 30 days
EOF
2

Set Certificate TTLs

Configure certificate lifetimes for different use cases.

tacctl create -f - <<EOF
kind: cluster_auth_preference
metadata:
  name: default
spec:
  # Human user certificates
  session_ttl: 8h
  max_session_ttl: 12h

  # AI agent certificates
  ai_agent_ttl: 1h
  ai_agent_max_ttl: 4h

  # Service certificates
  service_cert_ttl: 24h
EOF
3

Configure Certificate Rotation

Set up automatic CA rotation with grace periods.

tacctl create -f - <<EOF
kind: ca_rotation
metadata:
  name: scheduled
spec:
  schedule: "0 0 1 * *"  # Monthly rotation
  grace_period: 168h     # 7 days

  notification:
    - type: slack
      channel: "#security"
      before: 72h
    - type: email
      to: [email protected]
      before: 168h
EOF
4

Set Up Certificate Monitoring

Monitor certificate expiration and health.

tacctl create -f - <<EOF
kind: certificate_monitor
metadata:
  name: expiry-alerts
spec:
  check_interval: 1h

  alerts:
    - threshold: 30d
      severity: info
    - threshold: 7d
      severity: warning
    - threshold: 24h
      severity: critical

  notify:
    - type: pagerduty
      routing_key: ${PAGERDUTY_KEY}
EOF
5

Issue and Manage Certificates

Issue, revoke, and audit certificates.

# List all certificates
tac cert ls

# Issue a certificate manually
tac cert issue --type=host --name=server-1 --ttl=24h

# Revoke a certificate
tac cert revoke --serial=abc123 --reason="compromised"

# Audit certificate usage
tac cert audit --from=7d

Certificate Management Enabled

With certificate management configured, you have:

  • Built-in certificate authority for all infrastructure
  • Automatic certificate renewal before expiration
  • Expiration alerts and monitoring
  • Complete audit trail for all certificate operations

Related Guides

Zero Trust Security

Certificate-based zero trust

Machine Identity

SPIFFE/SPIRE integration

SSH Key Management

Replace SSH keys with certs