Defines the path of each file required for a Nebula host: CA certificate, host certificate, and host key. Each of these files can also be stored inline as YAML multiline strings.
ca is a collection of one or more certificate authorities this host should trust. In the above example,
/etc/nebula/ca.crt contains PEM-encoded data for each CA we should trust, concatenated into a single file. The
following example shows a CA cert inlined as a YAML multiline string.
-----BEGIN NEBULA CERTIFICATE-----
-----END NEBULA CERTIFICATE-----
cert is a certificate unique to every host on a Nebula network. The certificate identifies a host’s IP address,
name, and group membership within a Nebula network. The certificate is signed by a certificate authority when created,
which informs other hosts on whether to trust a particular host certificate.
key is a private key unique to every host on a Nebula network. It is used in conjunction with the host certificate
to prove a host’s identity to other members of the Nebula network. The private key should never be shared with other
The blocklist is not distributed via Lighthouses. To ensure access to your entire network is blocked you must distribute the full blocklist to every host in your network. This is typically done via tooling such as Ansible, Chef, or Puppet.
blocklist contains a list of individual hosts' certificate fingerprints which should be blocked even if the
certificate is otherwise valid (signed by a trusted CA and unexpired.) This should be used if a host's credentials are
stolen or compromised.
disconnect_invalid is a toggle to force a client to be disconnected if the certificate is expired or invalid.