Enterprise License File
Self-hosted Teleport Enterprise subscriptions require a valid license. In this guide, we will show you how to manage your Teleport Enterprise license file.
Teleport Cloud takes care of this setup for you so you can provide secure access to your infrastructure right away.
Get started with a free trial of Teleport Cloud.
In a self-hosted Teleport Enterprise cluster, the Teleport Auth Service reads a license file in order to determine the scope and validity of your subscription. Follow the steps below to give your Teleport Auth Service instances access to your license file.
To obtain your license file, visit the Teleport customer portal and log in. Click "DOWNLOAD LICENSE KEY". You will see your current Teleport Enterprise account permissions and the option to download your license file:
The Teleport license file contains an X.509 certificate and the corresponding private key in PEM format.
Make your license file available to your Teleport Auth Service instances. The way you will do this depends on whether you are running the Teleport Auth Service on a Linux host or on Kubernetes:
Place the downloaded file on each instance of the Teleport Auth Service you will
run in your cluster and set the
license_file configuration parameter of your
teleport.yaml to point to the file location:
auth_service: license_file: /var/lib/teleport/license.pem
license_file path can be either absolute or relative to the configured
data_dir. If the license file path is not set, Teleport will look for the
license.pem file in the configured
data_dir, which is
Rename your license file to
Create a secret called "license" in the namespace you are using to deploy Teleport:
kubectl -n teleport create secret generic license --from-file=license.pem
For the Teleport pod to load your license:
- The secret must be named
- The secret must be in the same Kubernetes namespace as the Teleport pod
- The license file in the secret to be named
Only Auth Service instances require the license. Instances of other Teleport services do not need a license file unless they are also running the Auth Service.
Your Teleport Enterprise license contains an X.509 certificate that contains the expiration date of your license.
Run the following command to inspect the expiration date of your license,
assuming your license is saved as
openssl x509 -text -in license.pem | grep "Not After"
Not After : Dec 16 19:43:40 2022 GMT
If you have changed your license agreement with Teleport, e.g., you have added or removed support for a feature, you must obtain an updated license file and replace your existing license file on all Teleport Auth Service instances. You must also obtain a new license file after renewing your Teleport Enterprise license.
Once you restart the Teleport Auth Service, any changes to the license will take effect.
The Teleport Auth Service checks the expiration status of your license every hour. This means that, after you replace your license file and restart your Auth Service instances, it can take up to an hour to confirm the new license.
At 90 days before your Teleport Enterprise license expires, users will see an
alert similar to the following when running
tsh status, or any
Your Teleport Enterprise Edition license will expire in 90 days on one or more of your auth servers. Please reach out to [email protected] to obtain a new license. Inaction may lead to unplanned outage or degraded performance and support.
Users will see a similar message as a banner when accessing the Teleport Web UI:
You can close this banner to dismiss the message for the duration of your session.
When your license expires, you will have a 30-day grace period before Teleport Enterprise features become disabled.
tsh users will see warnings indicating that Enterprise features are no longer
Your Teleport Enterprise Edition license has expired on one or more of your auth servers. Please reach out to [email protected] to obtain a new license. Inaction may lead to unplanned outage or degraded performance and support.
Teleport Web UI users will see an alert banner:
Attempts to authenticate to Teleport via Single Sign-On connectors will fail.
If users attempt to use a Teleport feature that your license does not allow, they will see an error message. For example, if you attempt to use a SAML authentication connector without a Teleport Enterprise license, you will see the following error:
SAML: this feature requires Teleport Enterprise