--- layout: commands page_title: 'Commands: TLS CA Create' description: | The `consul tls ca create` command creates a self-signed certificate authority (CA) for TLS setup. --- # Consul TLS CA Create Command: `consul tls ca create` This command creates a self-signed CA to be used for Consul TLS setup. ## Examples Create a CA: ```shell-session $ consul tls ca create ==> Saved consul-ca.pem ==> Saved consul-ca-key.pem ``` Create a CA that signs certificates exclusively for the example.com domain: ```shell-session $ consul tls ca create -name-constraint -domain example.com ==> Saved example.com-ca.pem ==> Saved example.com-ca-key.pem ``` ## Usage Usage: `consul tls ca create [options]` #### Command Options - `-additional-name-constraint=<value>` - Add name constraints for the CA. Results in rejecting certificates for other DNS than specified. Can be used multiple times. Only used in combination with `-name-constraint`. - `-days=<int>` - Number of days the CA is valid for. Defaults to 1825 days (approximately 5 years). - `-domain=<string>` - The DNS domain of the Consul cluster that agents are [configured](/consul/docs/agent/config/cli-flags#_domain) with. Defaults to `consul`. Only used when `-name-constraint` is set. Additional domains can be passed with `-additional-name-constraint`. - `-name-constraint` - Enables [X.509 name constraints](https://www.rfc-editor.org/rfc/rfc5280#page-40) for the CA. If used, the CA only signs certificates for localhost and the domains specified by `-domain` and `-additional-name-constraint`. If Consul's UI is served over HTTPS in your deployment, add its DNS name with `-additional-constraint` as well. Defaults to `false`. - `cluster-id` - ID of the Consul cluster. Sets the CA's URI with the SPIFFEID composed of the cluster ID and domain (specified by `-domain` or `consul` by default). - `common-name` - Common Name of CA. Defaults to Consul Agent CA.