MCPcopy Index your code
hub / github.com/Venafi/vcert

github.com/Venafi/vcert @v5.13.7

Chat with this repo
repository ↗ · DeepWiki ↗ · release v5.13.7 ↗ · + Follow
2,117 symbols 7,133 edges 230 files 486 documented · 23% 1 cross-repo links
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

Apache 2.0 License Community Supported Compatible with Certificate Manager, Self-hosted 17.3+
This open source project is community-supported. To report a problem or share an idea, use Issues; and if you have a suggestion for fixing the issue, please include those details, too. In addition, use Pull Requests to contribute actual bug fixes or proposed enhancements. We welcome and appreciate all contributions. Got questions or want to discuss something with our team? Join us on Slack!

VCert CLI for CyberArk SSH Manager for Machines

VCert is a command line tool designed to generate keys and simplify certificate acquisition, eliminating the need to write code that's required to interact with the CyberArk REST API. VCert is available in 32- and 64-bit versions for Linux, Windows, and macOS.

This article applies to the latest version of VCert CLI, which you can download here.

Quick Links

Use these to quickly jump to a relevant section lower on this page:

Prerequisites

Review these prerequistes to get started. You'll need:

  1. A user account that has an authentication token with "ssh:manage" scope (i.e. access to the "VCert CLI" API Application as of 21.2)
  2. A folder where the user has been granted the following permissions: View, Read, Write, Create, and Private Key Read; this is for the pickup action when the certificate signing request (CSR) is service-generated.

Compatibility

VCert is compatible with CyberArk SSH Manager for Machines 20.3 or later.

General Command Line Parameters

The following options apply to the sshenroll and sshpickup actions:

Command Description
--config Use to specify INI configuration file containing connection details. Available parameters: tpp_url, access_token, tpp_user, tpp_password, tpp_zone, trust_bundle, test_mode
--no-prompt Use to exclude password prompts. If you enable the prompt and you enter incorrect information, an error is displayed. This option is useful with scripting.
--t Use to specify the token required to authenticate with CyberArk SSH Manager for Machines 20.1 (and higher). See the Appendix for help using VCert to obtain a new authorization token.
--test-mode Use to test operations without connecting to CyberArk SSH Manager for Machines. This option is useful for integration tests where the test environment does not have access to CyberArk SSH Manager for Machines. Default is false.
--test-mode-delay Use to specify the maximum number of seconds for the random test-mode connection delay. Default is 15 (seconds).
--timeout Use to specify the maximum amount of time to wait in seconds for a certificate to be processed by CyberArk SSH Manager for Machines. Default is 120 (seconds).
--trust-bundle Use to specify a file with PEM formatted certificates to be used as trust anchors when communicating with CyberArk SSH Manager for Machines. VCert uses the trust store of your operating system for this purpose if not specified.

Example: --trust-bundle /path-to/bundle.pem | | -u | Use to specify the URL of the CyberArk SSH Manager for Machines API server.

Example: -u https://sshmm.cyberArk.example | | --verbose | Use to increase the level of logging detail, which is helpful when troubleshooting issues. |

Environment Variables

As an alternative to specifying a token, trust bundle, url, and/or zone via the command line or in a config file, VCert supports supplying those values using environment variables VCERT_TOKEN, VCERT_TRUST_BUNDLE, VCERT_URL, and VCERT_ZONE respectively.

SSH Certificate Request Parameters

vcert sshenroll -u <sshmm url> -t <auth token> --template <ssh ca> --id <cert id> --principal <user> --valid-hours 1

Options:

Command Description
--destination-address Use to specify the address (FQDN, hostname, IP address, or CIDR) of the destination host where the certificate will be used for authentication. Applicable for client certificates and is used for reporting/auditing only.
--extension Use to request certificate extensions. For basic extensions use --extension <value> and for key-value extensions use --extension <key>:<value>
--folder Use to specify the DN of the policy folder within which the certificate object will be created. If not specified, the default policy folder indicated by the certificate template will be used.
--force-command Use to request a force command. Example: --force-command "/usr/scripts/db_backup.sh"
--id Use to specify the identifier of the SSH certificate. This is typically used to determine ownership.
--key-passphrase Use to specify the passphrase for encrypting the private key.
--key-size Use to specify the key size in bits when creating a keypair using --public-key local
--object-name Use to specify a friendly name for the certificate object. If not specified, the value of the --id parameter is used.
--principal Use to specify principals for the certificate. If not specified, the default principals indicated by the certificate template will be used.
--public-key Use to specify the origin of the public key. Options: local (default), service, or file:/path-to/key.pub
--source-address Use to specify the source addresses as list of IP addresses or CIDR. Example: --source-address 192.168.1.1/24
--template Used to specify the SSH certificate issuing template that will be used to sign the certificate.
--valid-hours Use to specify the number of hours a certificate needs to be valid.
--windows Output certificate and key files in Windows format (i.e. with \r\n line endings) instead of Unix format (i.e. \n line endings).

SSH Certificate Retrieval Parameters

vcert sshpickup -u <sshmm url> -t <auth token> --pickup-id <cert DN>

Options:

Command Description
--guid Use to specify the identifier of the SSH certificate to retrieve (alternative to specifying the SSH certificate by DN using --pickup-id).
--key-passphrase Use to specify the passphrase for encrypting the private key.
--pickup-id Use to specify the DN of the SSH certificate to retrieve.
--windows Output certificate and key files in Windows format (i.e. with \r\n line endings) instead of Unix format (i.e. \n line endings).

Parameters for retrieving an SSH CA's public key

vcert sshgetconfig -u <sshmm url> -t <auth token> --template <ssh ca>

Options:

Command Description
--file Use to specify the file to which the SSH CA public key will be written. Example: --file /path-to/ssh_ca.pub
--guid Use to specify the identifier of the SSH certificate issuing template to view (alternative to specifying the issuing template by DN using --template).
--template Use to specify the DN of the SSH certificate issuing template to view.

Examples

For the purposes of the following examples, assume the following:

  • The SSH Manager for Machines REST API is available at https://sshmm.cyberark.example/vedsdk
  • A user account named SshCertSvc has been created with an authentication token of "ql8AEpCtGSv61XGfAknXIA==", with a scope of "ssh:manage".
  • A folder structure has been created at the root of the Policy Tree called ssh-certificates\dev-db-admins and the SshCertSvc user has been granted View, Read, Write, Create, and Private Key Read permissions to that folder.
  • An SSH Certificate Issuing Template has been created called DB-Admins-Template.

Use the Help to view the command line syntax for enroll:

vcert enroll -h

Submit an SSH Manager for Machines request for enrolling an SSH certificate from the SSH Certificate Issuing Template for the db-admin, to access a computer for 8 hours:

vcert sshenroll -u https://sshmm.cyberark.example -t "ql8AEpCtGSv61XGfAknXIA==" --template DB-Admins-Template --id example-certificate --principal db-admin --valid-hours 8

Submit an SSH Manager for Machines request for enrolling an SSH certificate with multiple principals for 8 hours: ``` vcert sshenroll -u https://ss

Extension points exported contracts — how you extend this code

CAAccountsServiceWrapper (Interface)
CAAccountsServiceWrapper provides functions to wrap the autogenerated code of CAAccounts services for testing purposes. [6 …
pkg/webclient/caaccounts/service/service.go
Connector (Interface)
Connector provides a common interface for external communications with CyberArk Certificate Manager, Self-Hosted or Cybe [5 …
pkg/endpoint/endpoint.go
Installer (Interface)
Installer represents the interface for all installers. A new Installer must implement this interface to be picked up. [4 …
pkg/playbook/app/installer/installer.go
CAOperationsServiceWrapper (Interface)
CAOperationsServiceWrapper provides functions to wrap the autogenerated code of CAOperations services for testing purpos [3 …
pkg/webclient/caoperations/service/service.go
RevocationRequestResponse (Interface)
(no doc) [2 implementers]
pkg/endpoint/endpoint.go

Core symbols most depended-on inside this repo

Error
called by 160
pkg/venafi/tpp/error.go
String
called by 114
pkg/playbook/app/domain/installationType.go
Authenticate
called by 99
pkg/endpoint/endpoint.go
RequestCertificate
called by 84
pkg/endpoint/endpoint.go
request
called by 82
pkg/venafi/tpp/tpp.go
IsArrayStringEqual
called by 82
test/fixtures.go
GenerateRequest
called by 74
pkg/endpoint/endpoint.go
Add
called by 71
pkg/certificate/extKeyUsage.go

Shape

Function 978
Method 698
Struct 376
TypeAlias 53
Class 6
Interface 6

Languages

Go98%
Ruby2%

Modules by API surface

pkg/webclient/cloudproviders/cloudproviders.gen.go131 symbols
pkg/venafi/tpp/tpp.go84 symbols
pkg/venafi/tpp/connector.go80 symbols
pkg/venafi/tpp/connector_test.go70 symbols
pkg/venafi/ngts/connector.go67 symbols
pkg/endpoint/endpoint.go60 symbols
pkg/venafi/cloud/connector.go59 symbols
pkg/venafi/ngts/connector_test.go58 symbols
pkg/venafi/cloud/cloud.go56 symbols
pkg/venafi/ngts/cloud.go55 symbols
pkg/venafi/cloud/connector_test.go52 symbols
cmd/vcert/main_test.go50 symbols

Used by 1 indexed graphs manifest dependencies, hub-wide

For agents

$ claude mcp add vcert \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact