Default values inheritable by all configured certs

Attribute set of certificates to get signed and renewed

Whether to inherit values set in security.acme.defaults or not.

Host of an existing Let's Encrypt certificate to use for SSL

Path to a certificate signing request to apply when fetching the certificate.

Path to the private key to the matching certificate signing request.

Group running the ACME client.

Key type to use for private keys

Commands to run after new certificates go live

Email address for account creation and correspondence from the CA

Domain to fetch certificate for (defaults to the entry name).

Minimum remaining validity before renewal in days.

S3 bucket name to use for HTTP-01 based challenges

ACME Directory Resource URI

The certificate profile to choose if the CA offers multiple profiles.

Interface and port to listen on to solve HTTP challenges in the form [INTERFACE]:PORT

Additional global flags to pass to all lego commands.

Where the webroot of the HTTP vhost is located. .well-known/acme-challenge/ directory will be created below the webroot if it doesn't exist. http://example.org/.well-known/acme-challenge/ must also be available (notice unencrypted HTTP).

Additional flags to pass to lego run.

Turns on the OCSP Must-Staple TLS extension

Whether to enable debug logging for this certificate.

Additional flags to pass to lego renew.

A list of extra domain names, which are included in the one certificate to be issued.

DNS Challenge provider

Set the resolver to use for performing recursive DNS queries

Directory where certificate and other state is stored.

Systemd calendar expression when to check for renewal

The list of systemd services to call systemctl try-reload-or-restart on.

Environment variables suffixed by "_FILE" to set for the cert's service for your selected dnsProvider

Path to an EnvironmentFile for the cert's service containing any required and optional environment variables for your selected dnsProvider

Toggles lego DNS propagation check, which is used alongside DNS-01 challenge to ensure the DNS entries required are available.

Cert file to use for clients

Certificate file in PEM format.

Path to the certificate file.

The cert.pem file used for https.

TLS certificate

Etcd cert file

SSL certificate file path.

List of certificate specs to feed to cert generator.

Path to TLS certificate to use for connections to public-inbox-imapd(1).

Path to TLS certificate to use for connections to public-inbox-nntpd(1).

The TLS certificate to use for encryption.

The TLS certificate to use for encryption.

The TLS certificate to use for encryption.

Whether to skip certificates issued before the first launch of Cert Spotter

Path to the cert.pem file, which will be copied into Syncthing's config directory.

Path of certificates (*.{crt,cert,key}) used to connect to registry.

Path to the cert.pem file, which will be copied into Syncthing's configDir.

Path to the host certificate.

An existing Let’s Encrypt certificate to use for this virtual host

Path to the server's certificate

An existing Let’s Encrypt certificate to use for this virtual host

Path to the TLS certificate file

Path to the certificate file.

A switch to disable Endorsement Key (EK) certificate verification

Whether to enable Cert Spotter, a Certificate Transparency log monitor.

Path to the SSL certificate file

Extra command-line arguments to pass to Cert Spotter

TLS certificates directory to use for encryption

An existing Let’s Encrypt certificate to use for this virtual host

The path to a file or AF_UNIX stream socket to read the server certificate from

Path to TLS certificate

Fully qualified path to the CA certificate.

The name of the organization responsible for the X.509 certificate's /O name.

Path to certificate (PEM with certificate chain)

A host of an existing Let's Encrypt certificate to use. Note that this option does not create any certificates, nor it does add subdomains to existing ones – you will need to create them manually using security.acme.certs.

TLS Certificate for gRPC server, leave blank to disable TLS

Path to the certificate used for TLS.

TLS Certificates to use to identify this client to the server

The path to the certificate directory.

Path to GitLab container registry certificate.

TLS Certificate for gRPC server, leave blank to disable TLS

TLS Certificate for gRPC server, leave blank to disable TLS

Path to the certificate file for the mongo database.

Fully qualified path to the server certificate.

Etcd cert file.

If inspectHttps is enabled, the time generated HTTPS certificates will be stored in a temporary directory for reuse

Path to SSL certificate file.

Group under which the node-cert exporter shall be run.

TLS Certificate for gRPC server, leave blank to disable TLS

TLS Certificate for gRPC server, leave blank to disable TLS

Whether to enable the prometheus node-cert exporter.

A host of an existing Let's Encrypt certificate to use

A host of an existing Let's Encrypt certificate to use

A host of an existing Let's Encrypt certificate to use

A host of an existing Let's Encrypt certificate to use

Extra commandline options to pass to the node-cert exporter.

A host of an existing Let's Encrypt certificate to use

A host of an existing Let's Encrypt certificate to use

A host of an existing Let's Encrypt certificate to use

A host of an existing Let's Encrypt certificate to use

A host of an existing Let's Encrypt certificate to use

This public key is an SSH certificate authority, rather than an individual host's key.

This public key is an SSH certificate authority, rather than an individual host's key.

Use a certificate generated by the NixOS ACME module for the given host

How long certs generated by Stargazer should live for

Whether to enable LDAPS protocol

Scripts to run upon the detection of a new certificate

IPA server CA certificate

An absolute file path (which should be outside the Nix-store) to Gemini certificates.

The certspotter package to use.

Path to certificate describing the server.

TLS Certificate for gRPC server, leave blank to disable TLS

Use a certificate generated by the NixOS ACME module for the given host

The lifetime (in minutes) of the resolver certificate

A list of trusted root certificates in PEM format.

A list of trusted root certificates in PEM format.

A host of an existing Let's Encrypt certificate to use

A host of an existing Let's Encrypt certificate to use

A host of an existing Let's Encrypt certificate to use

A host of an existing Let's Encrypt certificate to use

A host of an existing Let's Encrypt certificate to use

A host of an existing Let's Encrypt certificate to use

A host of an existing Let's Encrypt certificate to use

A host of an existing Let's Encrypt certificate to use

A host of an existing Let's Encrypt certificate to use

A host of an existing Let's Encrypt certificate to use

A host of an existing Let's Encrypt certificate to use

This public key is an SSH certificate authority, rather than an individual host's key.

Path to certificate (PEM with certificate chain)

To enable SSL, specify path to the name of certificate files without extension

A host of an existing Let's Encrypt certificate to use

A host of an existing Let's Encrypt certificate to use

A host of an existing Let's Encrypt certificate to use

A host of an existing Let's Encrypt certificate to use

A list of files containing trusted root certificates in PEM format

A list of files containing trusted root certificates in PEM format

Port to listen on.

User owning the certs.

Path to the sendmail binary

A host of an existing Let's Encrypt certificate to use

A host of an existing Let's Encrypt certificate to use

A host of an existing Let's Encrypt certificate to use

Domain names to watch

Whether to enable certmgr.

File path to a cert file.

The interval before a certificate expires to start attempting to renew it.

List of paths to search for SSL certificates.

A host of an existing Let's Encrypt certificate to use

Certificate specs as described by: https://github.com/cloudflare/certmgr#certificate-specs These will be added to the Nix store, so they will be world readable.

Certificate file for MQTT server access.

Default kubeconfig client certificate file used to connect to kube-apiserver.

Path to a SSL certificate file for the server

The certmgr package to use.

Kubernetes proxy client certificate file used to connect to kube-apiserver.

A host of an existing Let's Encrypt certificate to use

A list of email addresses to send certificate updates to.

Section for a certificate candidate to use for authentication

A host of an existing Let's Encrypt certificate to use

A host of an existing Let's Encrypt certificate to use

Optional slot number of the token that stores the certificate.

Section for a certificate candidate to use for authentication

List of paths to exclute from searching for SSL certificates.

Address to listen on.

The port for the Prometheus HTTP endpoint.

Open port in firewall for incoming connections.

List files matching a pattern to include

List files matching a pattern to include

Optional slot number of the token that stores the certificate.

Kubelet client certificate file used to connect to kube-apiserver.

A host of an existing Let's Encrypt certificate to use

Optional PKCS#11 module name.

Absolute path to the certificate to load

A host of an existing Let's Encrypt certificate to use

A host of an existing Let's Encrypt certificate to use

Optional PKCS#11 module name.

Absolute path to the certificate to load

Specify rules for nftables to add to the input chain when services.prometheus.exporters.node-cert.openFirewall is true.

Hex-encoded CKA_ID or handle of the certificate on a token or TPM, respectively

A host of an existing Let's Encrypt certificate to use

Hex-encoded CKA_ID or handle of the certificate on a token or TPM, respectively

Cert file to use for peer to peer communication

This specifies the service manager to use for restarting or reloading services

The default CA host:port to use.

Kubernetes scheduler client certificate file used to connect to kube-apiserver.

A host of an existing Let's Encrypt certificate to use

Specify a filter for iptables to use when services.prometheus.exporters.node-cert.openFirewall is true

Certificates for agnos to issue or renew.

List of certificates to accept for authentication

The address for the Prometheus HTTP endpoint.

How often to check certificate expirations and how often to update the cert_next_expires metric.

List of certificate candidates to use for authentication

The directory holding configuration files, the SQlite database and the SSL Cert.

Certificate file for client cert authentication to the server.

Kubernetes controller manager client certificate file used to connect to kube-apiserver.

Certificate file for client cert authentication to the server.

Domains the certificate represents

Certificate file for client cert authentication to the server.

IRCD server SSL certificate

The port and interface of the listen endpoint in the form [HOST]:PORT[+CERT].

Path to keystore (combined PEM with cert/key, or PKCS12 keystore)

Path to certificate file.

Root of the certificate directory.

The directory where TLS certificates are stored.

Path to the certificate used for SSL connections with clients.

List of CA certificates to accept for authentication

The path to the TLS key.

  nix-shell -p dendrite --command "generate-keys --tls-cert server.crt --tls-key server.key"

Path to the certificate key file (if protocol is set to https or h2).

Whether to enable the flag "--ignore-certificate-errors" for the Chromium browser opened by Jibri

A list of attribute sets containing paths to TLS certificates and keys

Path to the private key used for TLS.

The path to the TLS certificate.

  nix-shell -p dendrite --command "generate-keys --tls-cert server.crt --tls-key server.key"

Path to CA bundle file (PEM/X509)

Path to default file containing certificate authorities that should be used to validate the connection authenticity

Specifies files from which the user certificate is read.

Certificate file for securing RPC connections.

Path to the certificate file (if protocol is set to https or h2).

The full path to the PEM encoded TLS certificate

The full path to the PEM encoded TLS certificate

Server certificate to use for TLS

The path to the client cert

The full path to the PEM encoded TLS certificate

Path to certificate file

Path to the TLS certificate for the web UI

TLS certificate path.

TLS ceritficate path.

Chain of CA-certificates to which our certificateFile is relative

Path to your SSL certificate

Path to certificate.

Path to certificate file

Certificate file for MQTT

Path to HTTPS listener certificate.

Path to MySQL listener certificate.

Path to certificate file

Path to a file containing the certificate used for client authentication to the server.

Path to keystore (combined PEM with cert/key, or PKCS12 keystore)

Output path for the certificate private key

Configure SSL server certificates to terminate the SSL sessions

Path to CA certificate to use for client authentication.

Whether to automatically generate cfssl API webserver TLS cert and key, if they don't exist.

Path to the TLS certificate file

Extra x509 Subject Alternative Names to be added to the cfssl API webserver TLS cert.

Path to PostgreSQL listener certificate.

Path to file containing certificate authorities that should be used to validate the connection authenticity

Path to file containing certificate authorities that should be used to validate the connection authenticity

The full path to the PEM encoded TLS certificate

The full path to the PEM encoded TLS certificate

The path to the CA certificate to use.

Certificate file for client cert authentication to the server.

Certificate file for client cert authentication to the server.

Path to already created certificate.

If true, allow all clients, do not check client cert subject.

The name that will be given to this DNSCrypt resolver.

Path to CA bundle file (PEM/X509)

Certificate file for client cert authentication to the server.

Certificate file for client cert authentication to the server.

Account certificate file, necessary to create, delete and manage tunnels

Whether to check the resulting config file with unbound checkconf for syntax errors

Certificate file for client cert authentication to the server.

Certificate file for client cert authentication to the server.

Certificate file for client cert authentication to the server.

Certificate file for client cert authentication to the server.

Certificate file for client cert authentication to the server.

Extra x509 Subject Alternative Names to be added to the kubernetes apiserver tls cert.

Path to the Unbound control socket certificate

Certificate file for client cert authentication to the server.

The certificates may use a relative path from the swanctl x509ca directory or an absolute path

Path to the certificate used for the HTTPS listener

Account certificate file, necessary to create, delete and manage tunnels

Whether to configure Privoxy to inspect HTTPS requests, meaning all encrypted traffic will be filtered as well

Certificates for additional domains.

Certificate file for client cert authentication to the server.

Certificate file for client cert authentication to the server.

Certificate file for client cert authentication to the server.

Directory for storing certificates to be used by Neo4j for TLS connections

Certificate to authenticate with.

Path to private key.

Section for a CA certificate to accept for authentication

The path to a TLS certificate bundle used to verify the server's certificate.

Optional slot number of the token that stores the certificate.

Path to a cert file for connecting to kubelet.

Certificate file for client cert authentication to the server.

Output path for the full chain including the acquired certificate

The login method

Absolute path to the certificate to load

Optional PKCS#11 module name.

The common name field of the certificate used by the mysql or postgres server

Send certificate payloads when using certificate authentication.

• With the default of ifasked the daemon sends certificate payloads only if certificate requests have been received.
• never disables sending of certificate payloads altogether,
• always causes certificate payloads to be sent unconditionally whenever certificate authentication is used

Certificate file for client cert authentication to the server.

Hex-encoded CKA_ID or handle of the certificate on a token or TPM, respectively

Certificate file for client cert authentication to the server.

Key file for client cert authentication to the server.

Key file for client cert authentication to the server.

If true, allow all clients, do not check client cert subject.

List of certificate policy OIDs the peer's certificate must have

Certificate file for client cert authentication to the server.

Key file for client cert authentication to the server.

Send certificate request payloads to offer trusted root CA certificates to the peer

Defines the base URI for the Hash and URL feature supported by IKEv2

PEM encoded X509 certificate for TLS

Key file for client cert authentication to the server.

Key file for client cert authentication to the server.

Key file for client cert authentication to the server.

Key file for client cert authentication to the server.

Key file for client cert authentication to the server.

Key file for client cert authentication to the server.

Key file for client cert authentication to the server.

Key file for client cert authentication to the server.

Key file for client cert authentication to the server.

Key file for client cert authentication to the server.

Key file for client cert authentication to the server.

Key file for client cert authentication to the server.

Key file for client cert authentication to the server.

Key file for client cert authentication to the server.

Key file for client cert authentication to the server.

Key file for client cert authentication to the server.

Key file for client cert authentication to the server.