---
layout: commands
page_title: 'Commands: TLS CA Create'
description: |
  The `consul tls ca create` command creates a self-signed certificate authority (CA) for TLS setup.
---

# Consul TLS CA Create

Command: `consul tls ca create`

This command creates a self-signed CA to be used for Consul TLS setup.

## Examples

Create a CA:

```shell-session
$ consul tls ca create
==> Saved consul-ca.pem
==> Saved consul-ca-key.pem
```

Create a CA that signs certificates exclusively for the example.com domain:

```shell-session
$ consul tls ca create -name-constraint -domain example.com
==> Saved example.com-ca.pem
==> Saved example.com-ca-key.pem
```

## Usage

Usage: `consul tls ca create [options]`

#### Command Options

- `-additional-name-constraint=<value>` - Add name constraints for the CA.
  Results in rejecting certificates for other DNS than specified. Can be used
  multiple times. Only used in combination with `-name-constraint`.

- `-days=<int>` - Number of days the CA is valid for. Defaults to 1825 days (approximately 5 years).

- `-domain=<string>` - The DNS domain of the Consul cluster that agents are [configured](/consul/docs/agent/config/cli-flags#_domain) with.
  Defaults to `consul`. Only used when `-name-constraint` is set.
  Additional domains can be passed with `-additional-name-constraint`.

- `-name-constraint` - Enables [X.509 name constraints](https://www.rfc-editor.org/rfc/rfc5280#page-40) for the CA.
  If used, the CA only signs certificates for localhost and the domains specified by `-domain` and `-additional-name-constraint`.
  If Consul's UI is served over HTTPS in your deployment, add its DNS name with `-additional-constraint` as well. Defaults to `false`.

- `cluster-id` - ID of the Consul cluster. Sets the CA's URI with the SPIFFEID composed of the cluster ID and domain
  (specified by `-domain` or `consul` by default).

- `common-name` - Common Name of CA. Defaults to Consul Agent CA.