Skip to content

ZTS TLS Certificate Utility


ZTS TLS Certificate utility provides a service identity x.509 certificate based on registered service's ntoken.

Getting Software

Download latest ZTS TLS Certificate utility binary release from Bintray - click on the Files tab, choose the latest version directory and then download the athenz-utils-<latest-version>-bin.tar.gz file::


$ tar xvfz athenz-utils-X.Y-bin.tar.gz


Before you can use the ZTS ServiceCertificate utility, you need to have asked the Athenz administrators to create your top level domain.


$ zts-svccert -domain <domain> -service <service> -private-key <key-file> -key-version <version> -zts -dns-domain <dns-domain> -hdr Athenz-Principal-Auth [-cert-file <output-cert-file>]

It is expected that you have already generated a public/private key pair and registered the public key for the service in your Athenz domain. When registering the public key, you also specified a unique key-version for that key pair.

If you have not completed these steps follow Athenz Service Identity With Public/Private Key Pairs section in our user guide for instructions.

Assuming your domain is sports and you have registered a service called api with a key-version value of 0 and the private key is stored in ./sports_private.pem file, then the zms-svccert utility with following arguments will return the x.509 certificate for your sports.api service:

$ zts-svccert -domain sports -service api -private-key `./sports_private.pem` -key-version 0 -zts -dns-domain <dns-domain> -hdr Athenz-Principal-Auth

The certificate cannot be refreshed and the user must request a new certificate for the service before the current one expires.