# The cluster mtls category in CloudHSM CLI
mtls

In CloudHSM CLI, **cluster mtls** is a parent category for a group of commands that, when combined with the parent category, create a command specific to AWS CloudHSM clusters. Currently, this category consists of the following commands:

**Topics**
+ [deregister-trust-anchor](cloudhsm_cli-cluster-mtls-deregister-trust-anchor.md)
+ [get-enforcement](cloudhsm_cli-cluster-mtls-get-enforcement.md)
+ [list-trust-anchors](cloudhsm_cli-cluster-mtls-list-trust-anchors.md)
+ [register-trust-anchor](cloudhsm_cli-cluster-mtls-register-trust-anchor.md)
+ [set-enforcement](cloudhsm_cli-cluster-mtls-set-enforcement.md)

# Deregister a trust anchor with CloudHSM CLI
deregister-trust-anchor

Use the **cluster mtls deregister-trust-anchor** command in CloudHSM CLI to deregister a trust anchor for mutual TLS between client and AWS CloudHSM.

## User type


The following users can run this command.
+ Admin

## Requirements

+ To run this command, you must be logged in as a admin user.

## Syntax


```
aws-cloudhsm > help cluster mtls deregister-trust-anchor
            
Deregister a trust anchor for mtls

Usage: cluster mtls deregister-trust-anchor [OPTIONS] --certificate-reference [<CERTIFICATE_REFERENCE>...]

Options:
      --certificate-reference <CERTIFICATE_REFERENCE>  A hexadecimal or decimal certificate reference
      --cluster-id <CLUSTER_ID>  Unique Id to choose which of the clusters in the config file to run the operation against. If not provided, will fall back to the value provided when interactive mode was started, or error
      --approval <APPROVAL>  Filepath of signed quorum token file to approve operation
  -h, --help                     Print help
```

## Example


**Example**  
In the following example, this command removes a trust anchor from the HSM.  

```
aws-cloudhsm > cluster mtls deregister-trust-anchor --certificate-reference 0x01
                
{
  "error_code": 0,
  "data": {
    "message": "Trust anchor with reference 0x01 deregistered successfully"
  }
}
```
You can then run the **list-trust-anchors** command to confirm that trust anchor has been deregistered from the AWS CloudHSM:  

```
aws-cloudhsm > cluster mtls list-trust-anchors
                
{
  "error_code": 0,
  "data": {
    "trust_anchors": []
  }
}
```

## Arguments


***<CLUSTER\$1ID>***  
The ID of the cluster to run this operation on.  
Required: If multiple clusters have been [configured.](cloudhsm_cli-configs-multi-cluster.md)

** *<CERTIFICATE\$1REFERENCE>* **  
A hexadecimal or decimal certificate reference.  
 **Required**: Yes  
After you deregister a trust anchor in the cluster, all existing mTLS connections using the client certificate signed by that trust anchor will be dropped.

** *<APPROVAL>* **  
Specifies the file path to a signed quorum token file to approve operation. Only required if quorum cluster service quorum value is greater than 1.

## Related topics

+  [cluster mtls reregister-trust-anchor](cloudhsm_cli-cluster-mtls-register-trust-anchor.md) 
+  [cluster mtls list-trust-anchors](cloudhsm_cli-cluster-mtls-list-trust-anchors.md) 
+  [Setup mTLS (recommended)](getting-started-setup-mtls.md) 

# Get the mTLS enforcement level with CloudHSM CLI
get-enforcement

Use the **cluster mtls get-enforcement** command in CloudHSM CLI to get the enforcement level of the usage of mutual TLS between client and AWS CloudHSM.

## User type


The following users can run this command.
+ Admin
+ Crypto users (CUs)

## Requirements

+ To run this command, you must be logged in as a admin user or crypto user (CUs).

## Syntax


```
aws-cloudhsm > help cluster mtls get-enforcement
            
Get the status of mtls enforcement in the cluster

Usage: cluster mtls get-enforcement [OPTIONS]

Options:
      --cluster-id <CLUSTER_ID>  Unique Id to choose which of the clusters in the config file to run the operation against. If not provided, will fall back to the value provided when interactive mode was started, or error
  -h, --help                     Print help
```

## Example


**Example**  
In the following example, this command lists the mtls enforcement level of the AWS CloudHSM.  

```
aws-cloudhsm > cluster mtls get-enforcement
                
{
  "error_code": 0,
  "data": {
    "mtls-enforcement-level": "none"
  }
}
```

## Arguments


***<CLUSTER\$1ID>***  
The ID of the cluster to run this operation on.  
Required: If multiple clusters have been [configured.](cloudhsm_cli-configs-multi-cluster.md)

## Related topics

+  [cluster mtls set-enforcement](cloudhsm_cli-cluster-mtls-set-enforcement.md) 
+  [Setup mTLS (recommended)](getting-started-setup-mtls.md) 

# List trust anchors with CloudHSM CLI
list-trust-anchors

Use the **cluster mtls list-trust-anchors** command in CloudHSM CLI to list all the trust anchors which can be used for mutual TLS between client and AWS CloudHSM.

## User type


The following users can run this command.
+ All users. You do not need to be logged in to run this command.

## Syntax


```
aws-cloudhsm > help cluster mtls list-trust-anchors
            
List all trust anchors for mtls

Usage: cluster mtls list-trust-anchors [OPTIONS]

Options:
      --cluster-id <CLUSTER_ID>  Unique Id to choose which of the clusters in the config file to run the operation against. If not provided, will fall back to the value provided when interactive mode was started, or error
  -h, --help                     Print help
```

## Example


**Example**  
In the following example, this command lists all the registered trust anchors from the AWS CloudHSM.  

```
aws-cloudhsm > cluster mtls list-trust-anchors
                
{
  "error_code": 0,
  "data": {
    "trust_anchors": [
      {
        "certificate-reference": "0x01",
        "certificate": "<PEM Encoded Certificate 1>",
        "cluster-coverage": "full"
      },
      {
        "certificate-reference": "0x02",
        "certificate": "<PEM Encoded Certificate 2>",
        "cluster-coverage": "full"
      }
    ]
  }
}
```

## Arguments


***<CLUSTER\$1ID>***  
The ID of the cluster to run this operation on.  
Required: If multiple clusters have been [configured.](cloudhsm_cli-configs-multi-cluster.md)

## Related topics

+  [cluster mtls reregister-trust-anchor](cloudhsm_cli-cluster-mtls-register-trust-anchor.md) 
+  [cluster mtls deregister-trust-anchor](cloudhsm_cli-cluster-mtls-deregister-trust-anchor.md) 
+  [Setup mTLS (recommended)](getting-started-setup-mtls.md) 

# Register a trust anchor with CloudHSM CLI
register-trust-anchor

Use the **cluster mtls register-trust-anchor** command in CloudHSM CLI to register a trust anchor for mutual TLS between client and AWS CloudHSM.

## User type


The following users can run this command.
+ Admin

## Requirements


The AWS CloudHSM accepts trust anchors with the following key types:


****  

| Key Type | Description | 
| --- | --- | 
| EC |  secp256r1 (P-256), secp384r1 (P-384), and secp521r1 (P-521) curves.  | 
| RSA |  2048-bit, 3072-bit, and 4096-bit RSA keys.  | 

## Syntax


```
aws-cloudhsm > help cluster mtls register-trust-anchor
            
Register a trust anchor for mtls

Usage: cluster mtls register-trust-anchor [OPTIONS] --path [<PATH>...]

Options:
      --cluster-id <CLUSTER_ID>  Unique Id to choose which of the clusters in the config file to run the operation against. If not provided, will fall back to the value provided when interactive mode was started, or error
      --path <PATH>  Filepath of the trust anchor to register
      --approval <APPROVAL>  Filepath of signed quorum token file to approve operation
  -h, --help                     Print help
```

## Example


**Example**  
In the following example, this command registers a trust anchor onto the HSM. The maximum number of trust anchors can be registered is two (2).  

```
aws-cloudhsm > cluster mtls register-trust-anchor --path /home/rootCA
                
{
  "error_code": 0,
  "data": {
    "trust_anchor": {
      "certificate-reference": "0x01",
      "certificate": "<PEM Encoded Certificate>",
      "cluster-coverage": "full"
    }
  }
}
```
You can then run the **list-trust-anchors** command to confirm that trust anchor has been registered onto the AWS CloudHSM:  

```
aws-cloudhsm > cluster mtls list-trust-anchors
                
{
  "error_code": 0,
  "data": {
    "trust_anchors": [
      {
        "certificate-reference": "0x01",
        "certificate": "<PEM Encoded Certificate>",
        "cluster-coverage": "full"
      }
    ]
  }
}
```

## Arguments


***<CLUSTER\$1ID>***  
The ID of the cluster to run this operation on.  
Required: If multiple clusters have been [configured.](cloudhsm_cli-configs-multi-cluster.md)

** *<PATH>* **  
Filepath of the trust anchor to register.  
 **Required**: Yes  
AWS CloudHSM supports registering intermediate certificates as trust anchor. In such cases, the entire PEM-encoded certificate chain file needs to be registered onto the HSM, with the certificates in hierarchical order.   
 AWS CloudHSM supports a certificate chain of 6980 bytes.

** *<APPROVAL>* **  
Specifies the file path to a signed quorum token file to approve operation. Only required if quorum cluster service quorum value is greater than 1.

## Related topics

+  [cluster mtls deregister-trust-anchor](cloudhsm_cli-cluster-mtls-deregister-trust-anchor.md) 
+  [cluster mtls list-trust-anchors](cloudhsm_cli-cluster-mtls-list-trust-anchors.md) 
+  [Setup mTLS (recommended)](getting-started-setup-mtls.md) 

# Set the mTLS enforcement level with CloudHSM CLI
set-enforcement

Use the **cluster mtls set-enforcement** command in CloudHSM CLI to set the enforcement level of the usage of mutual TLS between client and AWS CloudHSM.

## User type


The following users can run this command.
+ Admin with username as admin

## Requirements


To run this command:
+ At least one trust anchor has been successfully registered onto the AWS CloudHSM.
+ Configure the CloudHSM CLI with the right private key and client certificate, and start CloudHSM CLI under a mutual TLS connection.
+ You must be logged in as the default admin with username "admin". Any other admin user will not be able to run this command.

## Syntax


```
aws-cloudhsm > help cluster mtls set-enforcement
            
Set mtls enforcement policy in the cluster

Usage: cluster mtls set-enforcement [OPTIONS] --level [<LEVEL>...]

Options:
      --cluster-id <CLUSTER_ID>  Unique Id to choose which of the clusters in the config file to run the operation against. If not provided, will fall back to the value provided when interactive mode was started, or error
      --level <LEVEL>  Level to be set for mtls in the cluster [possible values: none, cluster]
      --approval <APPROVAL>  Filepath of signed quorum token file to approve operation
  -h, --help                     Print help
```

## Example


**Example**  
In the following example, this command set the mtls enforcement level of the AWS CloudHSM to be cluster. The set-enforcement command can only be performed in a mutual TLS connection and logged in as the admin user with username as admin, see [set the mTLS enforcement for AWS CloudHSM](getting-started-setup-mtls.md#getting-start-setup-mtls-enforcement).  

```
aws-cloudhsm > cluster mtls set-enforcement --level cluster
                
{
  "error_code": 0,
  "data": {
    "message": "Mtls enforcement level set to Cluster successfully"
  }
}
```
You can then run the **get-enforcement** command to confirm that enforcement level has been set to cluster:  

```
aws-cloudhsm > cluster mtls get-enforcement
                
{
  "error_code": 0,
  "data": {
    "mtls-enforcement-level": "cluster"
  }
}
```

## Arguments


***<CLUSTER\$1ID>***  
The ID of the cluster to run this operation on.  
Required: If multiple clusters have been [configured.](cloudhsm_cli-configs-multi-cluster.md)

** *<LEVEL>* **  
Level to be set for mtls in the cluster.   
 **Valid values**   
+  **cluster**: Enforce the usage of mutual TLS between client and AWS CloudHSM in the cluster.
+  **none**: Do not enforce the usage of mutual TLS between client and AWS CloudHSM in the cluster.
 **Required**: Yes  
After you enforce mTLS usage in the cluster, all existing non-mTLS connections will be dropped and you can only connect to the cluster with mTLS certificates.

** *<APPROVAL>* **  
Specifies the file path to a signed quorum token file to approve operation. Only required if quorum cluster service quorum value is greater than 1.

## Related topics

+  [cluster mtls get-enforcement](cloudhsm_cli-cluster-mtls-get-enforcement.md) 
+  [Setup mTLS (recommended)](getting-started-setup-mtls.md)