How to use public keys to create signed certificates
This guide assumes you have already created a CA (certificate authority) for your Nebula network.
You will also need Nebula installed on each device you wish to add to your network. This includes both the
application as well as the
If you have not already done so, you can use the Quick Start guide to get up and running.
Generating a public / private keypair
On the device you wish to add to your network, create a public / private Nebula keypair. This is done through the
nebula-cert keygen command. For example:
nebula-cert keygen -out-key alice.key -out-pub alice.pub
This will save the private and public keys to
The private key, along with certificate you will create below, is what Nebula will use to prove its identity during handshakes. Do not share this private key with anyone else! It is recommended that you do not copy the private key to any other device.
Transfer the public key and sign a new certificate
alice.pub (the public key) to the host you store your CA key material on. You will need both the CA certificate
as well as the CA private key. We will assume these are named
Before signing a certificate you will need to choose an IP address for the new device as well as any groups you'd like
to apply. For the sake of this guide, let's assume your Nebula network space is
192.168.100.0/24 and you want to
assign the IP address
192.168.100.25 to the new host. We'll use the groups
nebula-cert sign -in-pub alice.pub -name "Alice" -ip "192.168.100.25/24" --groups "users,developers"
This will create a certificate at
Alice.crt. To verify the certificate you can use
nebula-cert print. For example:
$ nebula-cert print -path Alice.crt
Not before: 2022-12-13 12:01:17 -0500 EST
Not After: 2023-07-27 11:58:08 -0400 EDT
Is CA: false
Public key: 3a216468d4f237b36392b7c6d4f3ede49abd9e0704f9bd4a05ff708b535f3054
Now you can copy the certificate back to the original device and reference it in the device's Nebula config, alongside
the private key named
Congratulations! You've successfully signed a new certificate without the private key.