For tenant it is important to send manifest to the right provider as well as for provider to ensure only owners can access their deployments. Thus each account must create certificate prior deploying workload or starting the provider.
Note In this guide --from
is referring to the key main
which has been previously created with akash key add
. Consider changing to the name of yours.
- name: main
type: local
address: akash1gp3scyd8aye3z8szf3mpqzgsg4csyplcqehxus
pubkey: akashpub1addwnpepq0np6xltudgnau39046qtty3k46gzd482884hqcfxvzpyf2ttnr8ue3hc55
mnemonic: ""
threshold: 0
pubkeys: []
By default certificate is valid for 365 days from the moment of issuing
provider-services tx cert generate client --from $AKASH_KEY_NAME
provider-services tx cert publish client --from $AKASH_KEY_NAME
It is important for provider to list same domain(s) as hostURI in provider attributes For example if HostURI: https://example.com
the example.com
must be listed as one of the domains in the certificate
#provider-services tx cert create server [list of domains provider is serving on] --from=main
provider-services tx cert create server example.com example1.com --from=main
Locally certificates and it's respective private key are stored in single file in akash home directory. The name of the file is stated as <address>.pem
. For example certificate created with key main
the file will be named as akash1gp3scyd8aye3z8szf3mpqzgsg4csyplcqehxus.pem
If file already exists user will be prompted to check if certificate already present on chain:
- certificate is not on chain: user is prompted whether to commit or to leave as is
- certificate is on chain: user prompted to revoke it or leave as is
To create certificate without being prompted use --rie
flag (revoke if exists)
Use following flags to set custom period of validity
naf
: valid not after. value either number of days withd
suffix364d
or RFC3339 formatted timestampnbf
: valid not before. value must be RFC3339 formatted timestamp
Note flags above are valid for both client and server certificates
example1
certificate valid for 180days after issuing
provider-services tx cert generate client --from=main --naf=180d
example2
certificate valid for 180days after date of start
provider-services tx cert generate client --from=main --naf="2022-03-19T18:35:03-04:00" --naf=180d
example3
certificate valid for 365days after date of start
provider-services tx cert generate client --from=main --naf="2022-03-19T18:35:03-04:00"
provider-services tx cert revoke --from=main
provider-services tx cert revoke --from=main --serial=<serial #>
To query certificates for particular account
provider-services query cert list --owner="$(akash keys show main -a)"
To filter by state
provider-services query cert list --owner="$(akash keys show main -a)" --state=valid
provider-services query cert list --owner="$(akash keys show main -a)" --state=revoked