{"id":1859,"date":"2025-01-26T17:20:40","date_gmt":"2025-01-26T09:20:40","guid":{"rendered":"https:\/\/www.fanyamin.com\/wordpress\/?p=1859"},"modified":"2025-01-26T17:20:40","modified_gmt":"2025-01-26T09:20:40","slug":"teleport-identity-file","status":"publish","type":"post","link":"https:\/\/www.fanyamin.com\/wordpress\/?p=1859","title":{"rendered":"teleport identity file"},"content":{"rendered":"<p>When you run the command:<\/p>\n<pre><code class=\"language-bash\">tsh login --user=api-user --out=identity-file<\/code><\/pre>\n<p>the <strong>identity file<\/strong> is generated by Teleport (<code>tsh<\/code>), and it contains the user's credentials used for authentication in Teleport's environment. The content of this file is <strong>not just a simple X.509 certificate<\/strong>, but a <strong>set of credentials<\/strong>, which includes several components necessary for mTLS (mutual TLS) authentication.<\/p>\n<h3>Content of the <code>identity-file<\/code>:<\/h3>\n<ol>\n<li>\n<p><strong>X.509 Certificate (Public Key)<\/strong>:<\/p>\n<ul>\n<li>The identity file will contain the <strong>X.509 certificate<\/strong> of the user (<code>api-user<\/code>) that is used for authenticating the user to the Teleport cluster. This certificate includes the public key of the user.<\/li>\n<\/ul>\n<\/li>\n<li>\n<p><strong>Private Key<\/strong>:<\/p>\n<ul>\n<li>Yes, the identity file <strong>does contain the private key<\/strong> corresponding to the user's public key in the certificate. This private key is necessary for performing the cryptographic operations needed during authentication (like signing handshake messages in mTLS).<\/li>\n<\/ul>\n<\/li>\n<li>\n<p><strong>Teleport's Session Information<\/strong>:<\/p>\n<ul>\n<li>The identity file will also include <strong>session-specific information<\/strong> and metadata related to the user\u2019s session, including the Teleport cluster it was issued for, the role of the user, and any other necessary credentials (like certificates for the specific session).<\/li>\n<\/ul>\n<\/li>\n<li>\n<p><strong>Certificates for Access<\/strong>:<\/p>\n<ul>\n<li>The identity file may also include additional certificates that are used for accessing other services within the Teleport cluster, such as <strong>SSH<\/strong> or <strong>Kubernetes<\/strong>.<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n<h3>Security Considerations:<\/h3>\n<ul>\n<li>The <strong>identity file<\/strong> should be kept secure because it contains both the <strong>public<\/strong> and <strong>private keys<\/strong>. <\/li>\n<li>This file is typically used for authentication via <strong>mTLS<\/strong> in the <code>tsh<\/code> tool and for secure access to services in the Teleport ecosystem.<\/li>\n<li>If someone gains unauthorized access to this file, they could potentially impersonate the user and access Teleport-protected resources.<\/li>\n<\/ul>\n<h3>Example of Identity File Structure (simplified):<\/h3>\n<ul>\n<li><strong>Client Certificate (Public Key)<\/strong>: An X.509 certificate for the user (<code>api-user<\/code>).<\/li>\n<li><strong>Private Key<\/strong>: The private key corresponding to the user\u2019s certificate.<\/li>\n<li><strong>Additional Metadata<\/strong>: Information such as cluster name, roles, session data, etc.<\/li>\n<\/ul>\n<h3>Conclusion:<\/h3>\n<p>The <strong>identity file<\/strong> generated by <code>tsh login<\/code> contains both the <strong>X.509 certificate<\/strong> and the <strong>private key<\/strong> for the user (<code>api-user<\/code>), making it an essential part of the user's authentication in Teleport's mTLS-based authentication system.<\/p>\n<p>Let me know if you'd like further clarification or more details!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>When you run the command: tsh login &#8211;user=api-user &#8211;out=identity-file the identity file is generated by Teleport (tsh), and it contains the user&#8217;s credentials used for authentication in Teleport&#8217;s environment. The content of this file is not just a simple X.509 certificate, but a set of credentials, which includes several components necessary for mTLS (mutual TLS) [&hellip;] <a class=\"read-more\" href=\"https:\/\/www.fanyamin.com\/wordpress\/?p=1859\" title=\"Permanent Link to: teleport identity file\">&rarr;Read&nbsp;more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"class_list":["post-1859","post","type-post","status-publish","format-standard","hentry","category-5"],"_links":{"self":[{"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/1859"}],"collection":[{"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1859"}],"version-history":[{"count":1,"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/1859\/revisions"}],"predecessor-version":[{"id":1860,"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/1859\/revisions\/1860"}],"wp:attachment":[{"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1859"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1859"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1859"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}