Nomad
Command: nomad tls ca create
Create is used to create a self signed Certificate Authority to be used for Nomad TLS setup.
Usage
nomad tls ca create [options]
CA Create Options
-additional-domain=<value>
: Add name constraints for the CA. The server will reject certificates for DNS names other than those specified in-domain
and-additional-domain
. Can be used multiple times. This option can only used in combination with-domain
and-name-constraint
.-common-name
: Common Name of CA. Defaults to Nomad Agent CA.-country
: Country of the CA. Defaults to "US".-days=<int>
: Provide number of days the CA is valid for from now on, defaults to 5 years.-domain=<string>
: Domain of nomad cluster. Only used in combination with-name-constraint
. Defaults tonomad
.-locality
: Locality of the CA. Defaults to "San Francisco".-name-constraint
: Add name constraints for the CA. Results in rejecting certificates for other DNS than specified. If set to true, "localhost" and-domain
will be added to the allowed DNS. Defaults to false.
Warning: If -name-constraint
is enabled and you intend to serve the
Nomad web UI over HTTPS its DNS must be added with additional-domain
. It is
not possible to add that after the fact.
-organization
: Organization of the CA. Defaults to "HashiCorp Inc.".-organizational-unit
: Organizational Unit of the CA. Defaults to "Nomad".-postal-code
: Postal Code of the CA. Defaults to "94105".-province
: Province of the CA. Defaults to "CA".-street-address
: Street Address of the CA. Defaults to "101 Second Street".
Example
Create CA:
$ nomad tls ca create
==> CA Certificate saved to: nomad-agent-ca.pem
==> CA Certificate key saved to: nomad-agent-ca-key.pem
Create a CA with a specified domain:
$ nomad tls ca create -name-constraint="true" -domain="foo.com"
==> CA Certificate saved to: foo.com-agent-ca.pem
==> CA Certificate key saved to: foo.com-agent-ca-key.pem