autonomy cert sync-crl

Fetch the canonical CRL from one or more control-plane endpoints

Synopsis

Fetch the current CRL from one or more control-plane CRL endpoints and write it atomically to the local –crl-file path.

Use this as the supported manual fallback when automated CRL pull distribution is not configured via ‘autonomy-orchestrator serve –tls-crl-sync-url’. For HTTPS endpoints, the CA at –ca-cert is used to verify the source certificate. When the source requires mutual TLS, provide –client-cert and –client-key. Repeat –source-url to configure publishers. Use –min-sources > 1 to require matching CRLs from multiple publishers before accepting an update.

Required RBAC permission: cert:manage. Set AUTONOMY_RBAC_ENFORCEMENT=0 to disable enforcement (not recommended in production).

Usage

autonomy cert sync-crl [flags]

Options

      --ca-cert string       path to CA certificate PEM used to verify an HTTPS source
      --client-cert string   path to client certificate PEM for mTLS source fetch
      --client-key string    path to client private key PEM for mTLS source fetch
      --crl-file string      path to write the local CRL PEM (default: EDGE_CRL_FILE)
      --min-sources int      minimum number of publishers that must return the same CRL before it is accepted (default 1)
      --server-name string   override TLS server name used when connecting to the source
      --source-url strings   URL of a control-plane CRL endpoint (repeat to define a publisher set; required)
      --timeout duration     source fetch timeout (default 10s)

See also

• autonomy cert — Manage TLS leaf certificates for edge node identity