How do I generate NATS certificates with compass?
Table of Contents
compass nats certs is part of the Provision pillar. It generates the
internal CA, the NATS server certificate, and one mTLS client certificate per
service, all written to build/keys/nats/. It is called automatically by
compass env init and can also be run standalone.
Question
How do I generate (or regenerate) the NATS mTLS certificates for a checkout?
Answer
First-time or idempotent run
Skips any file that already exists:
./projects/ores.compass/compass.sh nats certs
Force-regenerate all certificates
Use in CI (ephemeral keys) or when rotating:
./projects/ores.compass/compass.sh nats certs --force
Add an extra hostname to the NATS server SAN
./projects/ores.compass/compass.sh nats certs --hostname myhost.example.com
Adding a certificate for a new service
Add the service name to the _SERVICES list in
projects/ores.compass/src/nats_certs.py, then re-run:
./projects/ores.compass/compass.sh nats certs
Script
projects/ores.compass/src/nats_certs.py — called directly by
compass env init and exposed standalone as compass nats certs.
Requires openssl in PATH.
Tested by
compass env init calls nats_certs.generate() on every CI run;
certificate presence is verified by the NATS mTLS handshake at service
startup.
See also
- NATS — background on the messaging system and ORE Studio's mTLS setup.
- How do I manage the checkout environment with compass? —
compass env initcalls this automatically. - How do I initialise the NATS server config with compass? — the companion command for config + store dir.
- Service registry — authoritative list of services; drives
_SERVICESinnats_certs.py.