Skip to main content

How to use public keys to create signed certificates


This guide assumes you have already created a CA (certificate authority) for your Nebula network.

You will also need Nebula installed on each device you wish to add to your network. This includes both the nebula application as well as the nebula-cert utility.

If you have not already done so, you can use the Quick Start guide to get up and running.

Generating a public / private keypair

On the device you wish to add to your network, create a public / private Nebula keypair. This is done through the nebula-cert keygen command. For example:

nebula-cert keygen -out-key alice.key -out-pub

This will save the private and public keys to alice.key and respectively.


The private key, along with certificate you will create below, is what Nebula will use to prove its identity during handshakes. Do not share this private key with anyone else! It is recommended that you do not copy the private key to any other device.

Transfer the public key and sign a new certificate

Copy (the public key) to the host you store your CA key material on. You will need both the CA certificate as well as the CA private key. We will assume these are named ca.crt and ca.key respectively.

Before signing a certificate you will need to choose an IP address for the new device as well as any groups you'd like to apply. For the sake of this guide, let's assume your Nebula network space is and you want to assign the IP address to the new host. We'll use the groups users and developers.

nebula-cert sign -in-pub -name "Alice" -ip "" --groups "users,developers"

This will create a certificate at Alice.crt. To verify the certificate you can use nebula-cert print. For example:

$ nebula-cert print -path Alice.crt
NebulaCertificate {
Details {
Name: Alice
Ips: [
Subnets: []
Groups: [
Not before: 2022-12-13 12:01:17 -0500 EST
Not After: 2023-07-27 11:58:08 -0400 EDT
Is CA: false
Issuer: 0e1f5f42920c4e24c12496c4d0f199ecbe0fff92bda4edac352ebd6c2eb7ce84
Public key: 3a216468d4f237b36392b7c6d4f3ede49abd9e0704f9bd4a05ff708b535f3054
Fingerprint: de9dff9d99c0c85af854279cec30314640dc1f89050507061d38fa3aa8bec010
Signature: 07d607d3dc4579a261049a103465738299621d122ebfe9f91792eac7795302e5032a5807d328ab584283b655a83d3d31711e14148c33aace73c40a4760724e0e

Final steps

Now you can copy the certificate back to the original device and reference it in the device's Nebula config, alongside the private key named alice.key.

Congratulations! You've successfully signed a new certificate without the private key.