Deploy TLS Bundles with Reis (Flag Mode)
Create and manage TLS bundles directly from the command line using Reis flag-mode commands.
Create and manage TLS bundles directly from the command line using Reis flag-mode commands.
Create a TLS bundle
reis tls_bundle:create \
--name "API Public Certificate" \
--handle api-cert \
--ca_file ./certs/ca.crt \
--cert_file ./certs/api.crt \
--key_file ./certs/api.keyAll three PEM files are required. The handle must be DNS-1123 compliant (lowercase alphanumeric and hyphens, max 63 characters).
List TLS bundles
reis tls_bundle:listShows a table with handle, name, subject, expiry, and algorithm for each bundle.
Show details
reis tls_bundle:show <bundle-id>Displays the full metadata including fingerprint, issuer, and expiry date. The private key is never displayed.
Rotate certificate material
reis tls_bundle:rotate <bundle-id> \
--ca_file ./certs/new-ca.crt \
--cert_file ./certs/new-api.crt \
--key_file ./certs/new-api.keyCreates a new version and marks it current. The previous version is retained for rollback.
List versions
reis tls_bundle:versions <bundle-id>Activate a previous version (rollback)
reis tls_bundle:activate_version <bundle-id> <version-number>Delete a TLS bundle
reis tls_bundle:delete <bundle-id>Add --force to skip the confirmation prompt. Deleting removes all versions, project attachments, and container wiring.
Attach to a project
reis project:attach <project-id> tls_bundles api-certSingular alias tls_bundle is also accepted. The project-id is the UUID Reis returns from project:list or project:show.
Detach from a project
reis project:detach <project-id> tls_bundles api-certIf a running container still mounts the bundle, detach is rejected with a 409 naming the blocking container — tear it down (or remove its tls_bundles block) and retry.