Skip to content

Cert sign#


The sign sub-command under the tools cert command creates a private key and a certificate and signs the created certificate with a given Certificate Authority.


containerlab tools cert sign [local-flags]



To set a name under which the certificate and key files will be save the --name | -n flag can be used. A name set to mynode will create files mynode.pem, mynode-key.pem and mynode.csr.
Default value is cert.


A directory path under which the generated files will be placed is set with --path | -p flag. Defaults to current working directory.

CA Cert and CA Key#

To indicate which CA should sign the certificate request, the command takes a path to CA certificate and CA key files.

--ca-cert flag sets the path to the CA certificate file.
--ca-key flag sets the path to the CA private key file.

Common Name#

Certificate Common Name (CN) field is set with --cn flag. Defaults to


To add Subject Alternative Names (SAN) use the --hosts flag that takes a comma separate list of SAN values. Users can provide both DNS names and IP address, and the values will be placed into the DSN SAN and IP SAN automatically.


Certificate Country (C) field is set with --c flag. Defaults to Internet.


Certificate Locality (L) field is set with --l flag. Defaults to Server.


Certificate Organization (O) field is set with --o flag. Defaults to Containerlab.

Organization Unit#

Certificate Organization Unit (OU) field is set with --ou flag. Defaults to Containerlab Tools.


# create a private key and certificate and sign the latter
# with the Hosts list of [,]
# saving both files under the default name `cert` in the PWD
# and signed by the CA identified by cert ca.pem and key ca-key.pem
containerlab tools cert sign --ca-cert /tmp/ca.pem \
             --ca-key /tmp/ca-key.pem \

Generated certificate can be verified/viewed with openssl tool:

openssl x509 -in ca.pem -text
        Version: 3 (0x2)
        Serial Number: