Consul
Consul TLS CA Create
Command: consul tls ca create
This command creates a self-signed CA to be used for Consul TLS setup.
Examples
Create a CA:
$ consul tls ca create
==> Saved consul-ca.pem
==> Saved consul-ca-key.pem
Create a CA that signs certificates exclusively for the example.com domain:
$ consul tls ca create -name-constraint -domain example.com
==> Saved example.com-ca.pem
==> Saved example.com-ca-key.pem
Usage
Usage: consul tls ca create [options]
Command Options
-additional-name-constraint=<value>
- Add name constraints for the CA. Results in rejecting certificates for other DNS than specified. Can be used multiple times. Only used in combination with-name-constraint
.-days=<int>
- Number of days the CA is valid for. Defaults to 1825 days (approximately 5 years).-domain=<string>
- The DNS domain of the Consul cluster that agents are configured with. Defaults toconsul
. Only used when-name-constraint
is set. Additional domains can be passed with-additional-name-constraint
.-name-constraint
- Enables X.509 name constraints for the CA. If used, the CA only signs certificates for localhost and the domains specified by-domain
and-additional-name-constraint
. If Consul's UI is served over HTTPS in your deployment, add its DNS name with-additional-constraint
as well. Defaults tofalse
.cluster-id
- ID of the Consul cluster. Sets the CA's URI with the SPIFFEID composed of the cluster ID and domain (specified by-domain
orconsul
by default).common-name
- Common Name of CA. Defaults to Consul Agent CA.