Read certificate files directly

wfchandler · wfchandler · commit ce3964e1635f · 2025-11-12T15:06:58.000-05:00
Customers have found it inconvenient and error-prone to pass in the contents of certs and keys to the `certificate create` subcommand. To make this command easier to use, update its `key` and `cert` arguments to be treated as the path to their respective files, rather than their contents. We previously updated the SAML IdP creation command the same way with 11fe44b (Take paths instead of base64 for SAML creation (#1112), 2025-05-28).
diff --git a/cli/docs/cli.json b/cli/docs/cli.json
@@ -823,7 +823,7 @@
           "args": [
             {
               "long": "cert",
-              "help": "PEM-formatted string containing public certificate chain"
+              "help": "path to PEM-formatted string containing public certificate chain"
             },
             {
               "long": "description"
@@ -838,7 +838,7 @@
             },
             {
               "long": "key",
-              "help": "PEM-formatted string containing private key"
+              "help": "path to PEM-formatted string containing public certificate chain"
             },
             {
               "long": "name"
diff --git a/cli/src/cli_builder.rs b/cli/src/cli_builder.rs
@@ -134,6 +134,15 @@ impl Default for NewCli<'_> {
                             .required(true)
                             .value_parser(clap::value_parser!(std::net::IpAddr)),
                     ),
+                CliCommand::CertificateCreate => cmd
+                    .mut_arg("cert", |arg| {
+                        arg.value_name("cert-file")
+                            .help("path to PEM-formatted string containing public certificate chain")
+                    })
+                    .mut_arg("key", |arg| {
+                        arg.value_name("key-file")
+                            .help("path to PEM-formatted string containing public certificate chain")
+                    }),
 
                 CliCommand::SamlIdentityProviderCreate => cmd
                     .mut_arg("json-body", |arg| arg.required(false))
diff --git a/cli/src/main.rs b/cli/src/main.rs
@@ -255,6 +255,25 @@ impl CliConfig for OxideOverride {
         Ok(())
     }
 
+    fn execute_certificate_create(
+        &self,
+        matches: &clap::ArgMatches,
+        request: &mut oxide::builder::CertificateCreate,
+    ) -> anyhow::Result<()> {
+        let key_path = matches.get_one::<String>("key").unwrap();
+        let key_bytes = std::fs::read(key_path)
+            .with_context(|| format!("failed to read key file {key_path}"))?;
+
+        let cert_path = matches.get_one::<String>("cert").unwrap();
+        let cert_bytes = std::fs::read(cert_path)
+            .with_context(|| format!("failed to read cert file {cert_path}"))?;
+
+        *request = request
+            .to_owned()
+            .body_map(|body| body.key(key_bytes).cert(cert_bytes));
+        Ok(())
+    }
+
     fn execute_saml_identity_provider_create(
         &self,
         matches: &clap::ArgMatches,

Original file line number	Diff line number	Diff line change
`@@ -823,7 +823,7 @@`
`823`	`823`	`"args": [`
`824`	`824`	`{`
`825`	`825`	`"long": "cert",`
`826`		`- "help": "PEM-formatted string containing public certificate chain"`
	`826`	`+ "help": "path to PEM-formatted string containing public certificate chain"`
`827`	`827`	`},`
`828`	`828`	`{`
`829`	`829`	`"long": "description"`
`@@ -838,7 +838,7 @@`
`838`	`838`	`},`
`839`	`839`	`{`
`840`	`840`	`"long": "key",`
`841`		`- "help": "PEM-formatted string containing private key"`
	`841`	`+ "help": "path to PEM-formatted string containing public certificate chain"`
`842`	`842`	`},`
`843`	`843`	`{`
`844`	`844`	`"long": "name"`