# tcld generate-certificates command reference > Generate certificate authority and end-entity TLS certificates for Temporal Cloud with tcld generate-certificates commands. Use modifiers for customization. The `tcld generate-certificates` commands generate certificate authority (CA) and end-entity TLS certificates for Temporal Cloud. Alias: `gen` - [tcld generate-certificates certificate-authority-certificate](#certificate-authority-certificate) - [tcld generate-certificates end-entity-certificate](#end-entity-certificate) ## tcld generate-certificates certificate-authority-certificate The `tcld generate-certificates certificate-authority-certificate` command generates certificate authority (CA) certificates for Temporal Cloud. `tcld generate-certificates certificate-authority-certificate ` Alias: `ca` The following modifiers control the behavior of the command. #### --organization Specify an organization name for certificate generation. Alias: `--org` **Example** ```bash tcld generate-certificates certificate-authority-certificate --organization ``` #### --validity-period Specify the duration for which the certificate is valid. Format values as d/h (for example, `30d10h` for a certificate lasting 30 days and 10 hours). Alias: `-d` **Example** ```bash tcld generate-certificates certificate-authority-certificate --validity-period ``` #### --ca-certificate-file Specify a path to a `.pem` file where the generated X.509 certificate file will be stored. Alias: `--ca-cert` **Example** ```bash tcld generate-certificates certificate-authority-certificate --ca-certificate-file ``` #### --ca-key-file Specify a path to a `.key` file where the certificate's private key will be stored. Alias: `--ca-key` **Example** ```bash tcld generate-certificates certificate-authority-certificate --ca-key-file ``` #### --rsa-algorithm When enabled, a 4096-bit RSA key pair is generated for the certificate instead of an ECDSA P-384 key pair. Because an ECDSA P-384 key pair is the recommended default, this option is disabled. Alias: `--rsa` **Example** ```bash tcld generate-certificates certificate-authority-certificate --rsa-algorithm ``` ## tcld generate-certificates end-entity-certificate The `tcld generate-certificates end-entity-certificate` command generates end-entity (leaf) certificates for Temporal Cloud. `tcld generate-certificates end-entity-certificate ` Alias: `leaf` The following modifiers control the behavior of the command. #### --organization Specify an organization name for certificate generation. Alias: `--org` **Example** ```bash tcld generate-certificates end-entity-certificate --organization ``` #### --organization-unit Optional: Specify the name of the organization unit. **Example** ```bash tcld generate-certificates end-entity-certificate --organization-unit ``` #### --validity-period Specify the duration for which the certificate is valid. Format values as d/h (for example, `30d10h` for a certificate lasting 30 days and 10 hours). Alias: `-d` **Example** ```bash tcld generate-certificates end-entity-certificate --validity-period ``` #### --ca-certificate-file Specify the path of the X.509 CA certificate in a `.pem` file for the certificate authority. Alias: `--ca-cert` **Example** ```bash tcld generate-certificates end-entity-certificate --ca-certificate-file ``` #### --ca-key-file Specify the path of the private key in a `.key` file for the certificate authority. Alias: `--ca-key` **Example** ```bash tcld generate-certificates end-entity-certificate --ca-key-file ``` #### --certificate-file Specify a path to a `.pem` file where the generated X.509 leaf certificate file will be stored. Alias: `--cert` **Example** ```bash tcld generate-certificates end-entity-certificate --certificate-file ``` #### --key-file Specify a path to a `.key` file where the leaf certificate's private key will be stored. Alias: `--key` **Example** ```bash tcld generate-certificates end-entity-certificate --key-file ```