Thursday, October 20th 2016 (almost 3 years ago)

Say Hello to `now certs`: Advanced Certificate Management Using Now

Olli Vanhoja (@OVanhoja)

As of version 0.26.0 of the Now CLI, our users will be able to manage the SSL certificates used in their deployments directly from their device.

For every newly created deployment, we've been automatically provisioning new certificates for a long time now. However, our users haven't been able to upload their own certificates, replace existing ones or remove one from a deployment.

Today, this will change!

From now on, our users will be able to upload certificates issued by any Certificate Authority for custom domains registered with Now:

The Command

Let's take a look at how you can use Now's CLI to interact with the new features! In the following examples, zeit.rocks represents the domain you'd like to modify.

now certs ls

Lists all certificates owned and created by the user. All certificate entries ever created will remain there in the list, as long as the user still owns the domain associated with the certificate. The actual certificates may however change over time. For example, we periodically renew all the certificates created with the API.

now certs create zeit.rocks

Allows you to create a new certificate for any domain you have access to and have registered with Now. There shouldn't be much real use for this command and it's mainly provided for symmetry, though you may want to use it for creating a certificate entry for a subdomain in advance, before creating an alias using the domain.

now certs renew zeit.rocks

Can be used for renewing an existing certificate issued with Now. This command can't used for renewing a custom certificate provided by the user.

now certs replace

That's the core of this update! The command can be used for uploading a certificate issued by a 3rd party Certificate Authority. It requires you to already have an alias with an automatic certificate in place. You can use it like this:

now certs replace --crt domain.crt --key domain.key --ca ca_chain.crt zeit.rocks

Keep in mind: --ca ca_chain.crt is optional but needed if your certificate provider is not considered as a root Certificate Authority by web browsers and operating systems (which is usually the case). This file is usually provided by the Certificate Authority you're using.

The API Endpoint

Finally, version 0.6.0 of now-client comes with API wrappers for managing the certificates bound to aliases using a custom domain.

Normally, when a user created an alias with Now command line utility, we automatically issued a certificate for it (like previously described in this post). So technically, the API endpoint was already there (but until now, it only supported issuing new certificates).

Today, we're expanding the API to support these big three Rs:

  • Renewal
  • Replacement
  • Removal

The endpoint is called /now/certs and available in our REST API.

How to Get It

If you've installed Now's command line interface using Now Desktop, the only thing you need to do is make sure that the application is running. Assuming that's the case, the binary will automatically be updated for you in the next few minutes!

However, if that's not the case, we highly recommend you to download it and use it to install the CLI. Afterwards, you're covered!

If you're on a platform that's not yet supported by Now Desktop, simply update the command line utility like this: npm install -g now@0.26.0

...

Have fun with `now certs`!