June 20-22 Announcing HashiConf Europe full schedule: keynotes, sessions, labs & more Register Now
  • Overview
    • Consul on Kubernetes
    • Control access with Consul API Gateway
    • Discover Services with Consul
    • Enforce Zero Trust Networking with Consul
    • Load Balancing with Consul
    • Manage Traffic with Consul
    • Multi-Platform Service Mesh with Consul
    • Network Infrastructure Automation with Consul
    • Observability with Consul
  • Enterprise
  • Tutorials
  • Docs
  • API
  • CLI
  • Community
GitHub
Download
Try HCP Consul
    • v1.12.x (latest)
    • v1.11.x
    • v1.10.x
    • v1.9.x
    • v1.8.x
  • Commands (CLI)
    • Overview
      • Overview
      • create
      • delete
      • list
      • read
      • update
      • Overview
      • create
      • delete
      • list
      • read
      • update
    • bootstrap
      • Overview
      • create
      • delete
      • list
      • read
      • update
      • Overview
      • create
      • delete
      • list
      • read
      • update
    • set-agent-token
      • Overview
      • clone
      • create
      • delete
      • list
      • read
      • update
    • translate-rules
  • agent
    • Overview
    • datacenters
    • nodes
    • services
    • Overview
    • delete
    • list
    • read
    • write
    • Overview
    • ca
    • proxy
    • envoy
    • expose
    • redirect-traffic
  • debug
  • event
  • exec
  • force-leave
  • info
    • Overview
    • check
    • create
    • delete
    • get
    • list
    • match
  • join
  • keygen
  • keyring
    • Overview
    • delete
    • export
    • get
    • import
    • put
  • leave
  • license
  • lock
  • login
  • logout
  • maint
  • members
  • monitor
    • Overview
    • create
    • delete
    • list
    • read
    • update
    • write
    • Overview
    • area
    • autopilot
    • raft
  • partition
  • reload
  • rtt
    • Overview
    • register
    • deregister
    • Overview
    • agent
    • inspect
    • restore
    • save
    • Overview
    • ca
    • cert
  • validate
  • version
  • watch
Type '/' to Search

»Consul TLS CA Create

Command: consul tls ca create

This command create a self signed CA to be used for Consul TLS setup.

»Example

Create CA:

$ consul tls ca create
==> Saved consul-ca.pem
==> Saved consul-ca-key.pem
$ consul tls ca create
==> Saved consul-ca.pem
==> Saved consul-ca-key.pem

»Usage

Usage: consul tls ca create [filename-prefix] [options]

»TLS CA Create Options

  • -additional-name-constraint=<value> - Add name constraints for the CA. Results in rejecting certificates for other DNS than specified. Can be used multiple times. Only used in combination with -name-constraint.

  • -days=<int> - Provide number of days the CA is valid for from now on, defaults to 5 years.

  • -domain=<string> - Domain of consul cluster. Only used in combination with -name-constraint. Defaults to consul.

  • -name-constraint - Add name constraints for the CA. Results in rejecting certificates for other DNS than specified. If turned on localhost and -domain will be added to the allowed DNS. If the UI is going to be served over HTTPS its DNS has to be added with -additional-constraint. It is not possible to add that after the fact! Defaults to false.

  • cluster-id - ClusterID of the consul cluster, requires -domain to be set as well. When used this will cause URIs to be set with spiffeid.

  • common-name - Common Name of CA. Defaults to Consul Agent CA.

github logoEdit this page
IntroGuidesDocsCommunityPrivacySecurityBrandConsent Manager