# Manage the TLS certificate using the CLI

### Set the TLS certificate

You can set your TLS certificates using the CLI command: `weka security tls set`.

The command receives an unencrypted private key.

{% hint style="success" %}
**Example:** This command is similar to the OpenSSL command that Weka uses to generate the self-signed certificate: `openssl req -x509 -newkey rsa:1024 -keyout key.pem -out cert.pem -days <days> -nodes`
{% endhint %}

### Replace the TLS certificate

To replace the TLS certificate with a new one, use the CLI command: `weka security tls set`.

Once you issue a TLS certificate, it is used for connecting to the cluster (for the time it is issued), while the revocation is handled by the CA and propagating its revocation lists into the various clients.

### Unset the TLS certificate

You can unset your TLS certificates using the CLI command: `weka security tls unset`.

### Download the TLS certificate

To download the TLS certificate, use the CLI command: `weka security tls download`.

### View the TLS certificate status

To view the cluster TLS status and certificate, use the CLI command: `weka security tls status`.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.weka.io/4.0/usage/security/tls-certificate-management/manage-the-tls-certificate-using-the-cli.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.