autonomy cert sync-crl

Fetch the canonical CRL from one or more control-plane endpoints

Synopsis

Fetch the current CRL from one or more control-plane CRL endpoints and write it
atomically to the local --crl-file path.

Use this as the supported manual fallback when automated CRL pull distribution
is not configured via 'autonomy-orchestrator serve --tls-crl-sync-url'. For
HTTPS endpoints, the CA at --ca-cert is used to verify the source certificate.
When the source requires mutual TLS, provide --client-cert and --client-key.
Repeat --source-url to configure publishers. Use --min-sources > 1 to require
matching CRLs from multiple publishers before accepting an update.

Required RBAC permission: cert:manage.
Set AUTONOMY_RBAC_ENFORCEMENT=0 to disable enforcement (not recommended in production).

Usage

autonomy cert sync-crl [flags]

Options

      --ca-cert string       path to CA certificate PEM used to verify an HTTPS source
      --client-cert string   path to client certificate PEM for mTLS source fetch
      --client-key string    path to client private key PEM for mTLS source fetch
      --crl-file string      path to write the local CRL PEM (default: EDGE_CRL_FILE)
      --min-sources int      minimum number of publishers that must return the same CRL before it is accepted (default 1)
      --server-name string   override TLS server name used when connecting to the source
      --source-url strings   URL of a control-plane CRL endpoint (repeat to define a publisher set; required)
      --timeout duration     source fetch timeout (default 10s)

See also

• autonomy cert — Manage TLS leaf certificates for edge node identity