Deploy X.509 Certificates with Reis (Flag Mode)
Create and manage X.509 certificates directly from the command line using Reis flag-mode commands.
Create and manage X.509 certificates directly from the command line using Reis flag-mode commands.
Create an X.509 certificate
reis x509_cert:create \
--name "Signing Certificate" \
--handle signing-cert \
--cert_file ./certs/signing.crtOnly one PEM file is required (the certificate itself). The handle must be DNS-1123 compliant (lowercase alphanumeric and hyphens, max 63 characters).
List X.509 certificates
reis x509_cert:listShows a table with handle, name, subject, expiry, and algorithm for each certificate.
Show details
reis x509_cert:show <cert-id>Displays the full metadata including fingerprint, issuer, and expiry date.
Rotate certificate material
reis x509_cert:rotate <cert-id> \
--cert_file ./certs/new-signing.crtCreates a new version and marks it current. The previous version is retained for rollback.
List versions
reis x509_cert:versions <cert-id>Activate a previous version (rollback)
reis x509_cert:activate_version <cert-id> <version-number>Delete an X.509 certificate
reis x509_cert:delete <cert-id>Add --force to skip the confirmation prompt. Deleting removes all versions, project attachments, and container wiring.
Attach to a project
reis project:attach <project-id> x509_certs signing-certSingular alias x509_cert is also accepted. The project-id is the UUID Reis returns from project:list or project:show.
Detach from a project
reis project:detach <project-id> x509_certs signing-certIf a running container still mounts the cert, detach is rejected with a 409 naming the blocking container — tear it down (or remove its x509_certs block) and retry.