For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
Blog
DocsAPI Reference
DocsAPI Reference
    • AIStore
    • Documentation
  • Core Documentation
    • In-depth Overview
    • Terminology and core abstractions
    • Getting Started
    • Networking model
    • Buckets: design, operations, namespaces, and system buckets
    • Observability overview
    • CLI overview
    • Production deployment
    • Technical Blog
  • APIs, SDKs, and Compatibility
    • Go API
    • Python SDK
    • PyPI package
    • Python SDK reference guide
    • PyTorch integration
    • TensorFlow integration
    • HTTP API reference
    • curl examples
    • Easy URL
    • S3 compatibility
    • s3cmd quick start
    • Presigned S3 requests
    • Boto3 support
  • Command-Line Interface
    • CLI overview
    • ais help
    • CLI reference guide
    • Bucket operations
    • Cluster and remote-cluster management
    • Storage and mountpath management
    • Monitoring and ais show
    • Downloads
    • Jobs
    • Authentication and access control
    • Configuration via CLI
    • ETL CLI
    • Distributed shuffle CLI
    • ML / get-batch CLI
    • GCP credentials
    • TLS certificate management
  • Storage and Data Management
    • Storage services
    • Buckets: design, operations, namespaces, and system buckets
    • Native Bucket Inventory (NBI)
    • Backend providers
    • On-disk layout
    • Virtual directories
    • System files
    • Evicting remote buckets and cached data
  • Cluster Operations
    • Node lifecycle: maintenance, shutdown, decommission
    • Global rebalance
    • Resilver
    • AIS in Containerized Environments
    • Highly available control plane
    • Information Center (IC)
    • Out-of-band updates
    • Troubleshooting
  • Configuration and Security
    • Configuration
    • Environment variables
    • Feature flags
    • AuthN and access control
    • Authentication validation
    • HTTPS and certificates
    • Switching a cluster to HTTPS
  • ETL and Advanced Workflows
    • ETL overview
    • ETL CLI docs
    • ETL Python SDK examples
    • Custom transformers
    • ETL Python webserver SDK
    • ETL Go webserver package
    • Archives: read, write, and list
    • Distributed shuffle (dsort)
    • Initial sharding utility (ishard)
    • Downloader
    • Blob Downloader
    • Batch object retrieval (get-batch)
    • Batch operations
    • Tools and utilities
    • Extended actions (xactions)
  • Observability, Monitoring, and Performance
    • Observability overview
    • Monitoring with CLI
    • Logs
    • Prometheus integration
    • Metrics reference
    • Grafana dashboards
    • Kubernetes monitoring
    • Distributed tracing
    • Monitoring get-batch
    • AIS load generator (aisloader)
    • Benchmarking AIStore
    • Performance tuning and testing
    • Performance monitoring via CLI
    • Rate limiting
    • Checksumming
    • Filesystem Health Checker (FSHC)
    • Traffic patterns
  • Networking
    • Networking: multi-homing, network separation, IPv6
    • HTTPS configuration
    • Switching to HTTPS
    • Idle connections
    • MessagePack protocol
  • Deployment
    • AIStore on Kubernetes
    • Kubernetes Operator
    • Ansible playbooks
    • Helm charts
    • Deployment monitoring
    • Docker
  • Developer Resources
    • Development guide
    • aisnode command line
    • Build tags
  • Object and Bucket Naming
    • Unicode and special symbols in object and bucket names
    • Extremely long object names
Blog
NVIDIANVIDIA
Developer-friendly docs for your API
Privacy Policy | Your Privacy Choices | Terms of Service | Accessibility | Corporate Policies | Product Security | Contact

Copyright © 2026, NVIDIA Corporation.

LogoLogoAIStore
On this page
  • Table of Contents
  • ais tls command
  • Cert alerts
  • Show TLS certificate
  • Load TLS certificate
  • Further references
Command-Line Interface

TLS certificate management

||View as Markdown|
Previous

GCP credentials

Next

Storage services

Table of Contents

  • ais tls command
  • Cert alerts
  • Show TLS certificate
  • Load TLS certificate

HTTPS deployment implies (and requires) that each AIS node has a valid TLS (a.k.a. X.509) certificate.

The latter has a number of interesting properties ultimately intended to authenticate clients (users) to servers (AIS nodes). And vice versa.

In addition, TLS certificates tend to expire from time to time. In fact, each TLS certificate has expiration date with the standard-defined maximum being 13 months (397 days).

Some sources claim 398 days but the (much) larger point remains: TLS certificates do expire. Which means, they must be periodically updated and timely reloaded.

Starting v3.24, AIStore:

  • tracks certificate expiration times;
  • automatically - upon update - reloads updated certificates;
  • raises associated alerts.

ais tls command

1$ ais tls --help
2NAME:
3   ais tls - load or reload (an updated) TLS certificate; display information about currently deployed certificates
4
5USAGE:
6   ais tls command [arguments...] [command options]
7
8COMMANDS:
9   show                   show TLS certificate's version, issuer's common name, and from/to validity bounds
10   load-certificate       load TLS certificate
11   validate-certificates  check that all TLS certificates are identical
12
13OPTIONS:
14   --help, -h  show help

Cert alerts

Associated alerts are listed below but first - an example:

1$ ais show cluster
2
3PROXY            MEM AVAIL  LOAD AVERAGE    UPTIME      STATUS  ALERT
4p[KKFpNjqo][P]   127.77GiB  [5.2 7.2 3.1]   108h30m40s  online  **tls-cert-will-soon-expire**
5...
6
7TARGET           MEM AVAIL  CAP USED(%)     CAP AVAIL   LOAD AVERAGE    UPTIME      STATUS  ALERT
8t[pDztYhhb]      98.02GiB   16%             960.824GiB  [9.1 13.4 8.3]  108h30m1s  online  **tls-cert-will-soon-expire**
9...
10...

Overall, there are currently 3 (three) related alerts:

alertcomment
tls-cert-will-soon-expirea warning that X.509 cert will expire in less than 3 days
tls-cert-expiredX.509 expired (red alert, as the name implies)
tls-cert-invalide.g., invalid PEM format; further details at OpenSSL: X.509 errors

Show TLS certificate

The command has an optional NODE argument - press <TAB-TAB> to select.

Otherwise, simply run:

1$ ais show tls
2
3PROPERTY                 VALUE
4public-key-algorithm     RSA
5serial-number            55543812950694702162300597243874591179118407338
6signature-algorithm      SHA256-RSA
7valid                    from 2024-08-26 18:18:12 to 2025-08-26 18:18:12
8version                  3
9issued-by (CN)           localhost

Load TLS certificate

By default, all nodes in the cluster with (unconditionlly) reload X.509 certificates from the respective configured locations:

1$ ais tls load-certificate
2
3Done: all nodes.

But you can also choose any specific node, and ask it to reload. See ais tls load-certificate --help for details.

If aistore is deployed with aithentication (enabled), reloading certificates will require administrative permissions.

See ais config cluster command and related auth.enabled knob.

Further references

  • Generating self-signed certificates
  • Deploying: 4 targets, 1 gateway, 6 mountpaths, AWS backend
  • Accessing HTTPS-based cluster
  • Testing with self-signed certificates
  • Observability: TLS related alerts
  • Updating and reloading X.509 certificates
  • Switching cluster between HTTP and HTTPS