TCP reference for pomerium-cli
This TCP reference covers pomerium-cli
commands you can use to manage TCP connections in Pomerium.
Usage
pomerium-cli tcp [destination] [flags]
Flags
Flags | Description | Type |
---|---|---|
#--alternate-ca-path | Path to CA certificate to use for HTTP requests. | string |
#--browser-cmd | Custom browser command to run when opening a URL. | string |
#--ca-cert | Path to CA certificate to use for HTTP requests. | string |
#--client-cert | (optional) PEM-encoded client certificate. | string |
# --client-key | (optional) PEM-encoded client certificate key. | string |
# --client-cert-from-store | (optional) If provided, pomerium-cli will attempt to use a client certificate from the system trust store (macOS and Windows only), searching for a certificate based on the trusted CA names advertised by Pomerium in the TLS handshake. | none |
# --client-cert-issuer | (optional) When used in combination with --client-cert-from-store, restricts the client certificate search based on a particular attribute of the certificate's Issuer name. | string |
# --client-cert-subject | (optional) When used in combination with --client-cert-from-store, restricts the client certificate search based on a particular attribute of the certificate's Subject name. | string |
#--disable-tls-verification | Disables TLS verification. | none |
#-h, --help | Help for tcp. | none |
#--listen | Local address to start a listener on (default "127.0.0.1:0"). | string |
#--pomerium-url | The URL of the Pomerium server to connect to. | string |
#-v, --version | Version for pomerium-cli. | none |
Certificate name filters
The certificate name filter syntax is attribute=value
. A name filter can accept only one name attribute. The value must be an exact match (not a substring match). Make sure to quote name filters as appropriate for your shell.
For example, --client-cert-issuer "CN=My Trusted CA"
would filter for a certificate directly issued by a CA with the Common Name "My Trusted CA".
Or, --client-cert-subject "OU=My Department"
would filter for a certificate whose Subject name contains the Organizational Unit Name "My Department".
The supported name attributes are:
- commonName (CN)
- countryName (C)
- localityName (L)
- organizationName (O)
- organizationalUnitName (OU)
- postalCode
- serialNumber
- stateOrProvinceName (ST)
- streetAddress (STREET)
Either the long or abbreviated attribute name may be used (for example, localityName=New York
or L=New York
).
Values are case sensitive: L=new york
will not match the Locality Name "New York".