consul/website/content/commands/tls/ca.mdx

56 lines
1.9 KiB
Markdown

---
layout: commands
page_title: 'Commands: TLS CA Create'
description: |
The `consul tls ca create` command creates a self-signed certificate authority (CA) for TLS setup.
---
# Consul TLS CA Create
Command: `consul tls ca create`
This command creates a self-signed CA to be used for Consul TLS setup.
## Examples
Create a CA:
```shell-session
$ consul tls ca create
==> Saved consul-ca.pem
==> Saved consul-ca-key.pem
```
Create a CA that signs certificates exclusively for the example.com domain:
```shell-session
$ consul tls ca create -name-constraint -domain example.com
==> Saved example.com-ca.pem
==> Saved example.com-ca-key.pem
```
## Usage
Usage: `consul tls ca create [options]`
#### Command Options
- `-additional-name-constraint=<value>` - Add name constraints for the CA.
Results in rejecting certificates for other DNS than specified. Can be used
multiple times. Only used in combination with `-name-constraint`.
- `-days=<int>` - Number of days the CA is valid for. Defaults to 1825 days (approximately 5 years).
- `-domain=<string>` - The DNS domain of the Consul cluster that agents are [configured](/consul/docs/agent/config/cli-flags#_domain) with.
Defaults to `consul`. Only used when `-name-constraint` is set.
Additional domains can be passed with `-additional-name-constraint`.
- `-name-constraint` - Enables [X.509 name constraints](https://www.rfc-editor.org/rfc/rfc5280#page-40) for the CA.
If used, the CA only signs certificates for localhost and the domains specified by `-domain` and `-additional-name-constraint`.
If Consul's UI is served over HTTPS in your deployment, add its DNS name with `-additional-constraint` as well. Defaults to `false`.
- `cluster-id` - ID of the Consul cluster. Sets the CA's URI with the SPIFFEID composed of the cluster ID and domain
(specified by `-domain` or `consul` by default).
- `common-name` - Common Name of CA. Defaults to Consul Agent CA.