mTLS and Temporal Cloud#

Temporal has the best customers and users in the world. Temporal users constantly engage with us, openly sharing feedback about their journey and ways Temporal Cloud can improve their productivity and overall quality of work-life. One piece of feedback we’ve heard consistently over the past few months is that generating CA and end-entity certificates can be challenging for many of our users, particularly those that don't already have certificate management tooling in place. This is why we’re excited to announce that users can now securely generate both CA and end-entity (that is, client) certificates using the Temporal Cloud CLI tool, tcld.

Temporal documentation states “Access to Temporal Cloud is secured with the mutual Transport Layer Security (mTLS) protocol. This protocol requires a CA certificate from you.” Until recently, it was up to Temporal users to generate CA and end-entity certificates themselves. Temporal provided guidance but not tooling for this solution. Now, users can generate certificates directly from a Temporal-provided tool, tcld. And, because the CLI runs on your local machine, the process is secure; Temporal never has access to your secret keys.

Certificate Generation Process#

If you’re new to mTLS and certificate management, here’s a very (overly) simple primer. Please see Temporal documentation for thorough instructions and best-practice guidance for mTLS certificate management in Temporal Cloud.

The first step in generating mTLS certificates for Temporal Cloud is to generate a Certificate Authority certificate. (Temporal guidelines for CA certificates are here.) After this is done, you can then add the CA certificate to Temporal Cloud. (We’ll walk through how to do this a bit later.) Now you can use the CA certificate to generate an end-entity certificate that will be used by your Temporal Workers and clients to authenticate with Temporal Cloud. (Temporal guidelines for end-entity certificates are here.) Remember to always store your certificates and keys securely.

Certificate Generation with tcld#

The Temporal Cloud CLI, tcld, provides an easy-to-use and secure method of generating both CA certificates and end-entity certificates as well as adding certificates to Temporal Cloud. To start, ensure you’re on the latest version of tcld by running brew upgrade tcld or building from the latest source.

To generate a CA certificate, run the following command.

tcld gen ca --org <your org> -d <the expiration time period> --ca-cert <path and file name for the cert> --ca-key <path and file name for the private key>

To generate an end-entity certificate, run the following command.

tcld gen leaf --org <your org> -d <the expiration time period> --ca-cert <path and file name for the ca cert> --ca-key <path and file name for the ca private key> --cert <path and file name for the end-entity cert> --key <path and file name for the end entity key>

To use tcld to upload the CA certificate to Temporal Cloud, run the following command.

tcld n ca a -n <your namespace id> -c <path and filename for the ca cert created above>

Please see our docs or use tcld --help for a full list of commands and parameters associated with generating and uploading certificates. For example:

tcld generate-certificates certificate-authority-certificate \  --org myco \  -d 1y \  --ca-cert ca.crt \  --ca-key ca.keytcld generate-certificates end-entity-certificate \  --org myco \  --ca-cert ca.crt \  --ca-key ca.key \  --cert client-and-worker.crt \  --key client-and-worker.keytcld namespace accepted-client-ca add \  --namespace jonathan.a2dd6 \  --ca-certificate-file ca.crt

Now you can add your end-entity certificate and key to your Workers and clients and connect to Temporal Cloud with any of our SDKs:

Conclusion#

We’ve listened to your feedback. We know, particularly for those who aren’t experienced working with certificates, that generating and managing mTLS certificates can be confusing and challenging. That’s why we’ve delivered this easy-to-use and secure approach to generate, upload, and rotate certificates. We have more improvements coming as well, like metrics and notifications that provide visibility into certificate expiration and help mitigate the risk that an expired certificate prevents your Workers from connecting to Temporal Cloud.

We hope this feature improves your experience with Temporal Cloud. As always, please feel free to reach out to us at cloud@temporal.io if you have questions and/or feedback. Until next time, happy Workflow development!