A new platform for documentation and tutorials is launching soon.

We are migrating Consul documentation into HashiCorp Developer, our new developer experience.

Join Now
Type '/' to Search

»Consul TLS CA Create

Command: consul tls ca create

This command create a self signed CA to be used for Consul TLS setup.

»Example

Create CA:

$ consul tls ca create
==> Saved consul-ca.pem
==> Saved consul-ca-key.pem

$ consul tls ca create
==> Saved consul-ca.pem
==> Saved consul-ca-key.pem

»Usage

Usage: consul tls ca create [filename-prefix] [options]

»Command Options

  • -additional-name-constraint=<value> - Add name constraints for the CA. Results in rejecting certificates for other DNS than specified. Can be used multiple times. Only used in combination with -name-constraint.

  • -days=<int> - Provide number of days the CA is valid for from now on, defaults to 5 years.

  • -domain=<string> - Domain of consul cluster. Only used in combination with -name-constraint. Defaults to consul.

  • -name-constraint - Add name constraints for the CA. Results in rejecting certificates for other DNS than specified. If turned on localhost and -domain will be added to the allowed DNS. If the UI is going to be served over HTTPS its DNS has to be added with -additional-constraint. It is not possible to add that after the fact! Defaults to false.

  • cluster-id - ClusterID of the consul cluster, requires -domain to be set as well. When used this will cause URIs to be set with spiffeid.

  • common-name - Common Name of CA. Defaults to Consul Agent CA.