Consul TLS CA Create
consul tls ca create
This command creates a self-signed CA to be used for Consul TLS setup.
Create a CA:
$ consul tls ca create ==> Saved consul-ca.pem ==> Saved consul-ca-key.pem
Create a CA that signs certificates exclusively for the example.com domain:
$ consul tls ca create -name-constraint -domain example.com ==> Saved example.com-ca.pem ==> Saved example.com-ca-key.pem
consul tls ca create [options]
-additional-name-constraint=<value>- Add name constraints for the CA. Results in rejecting certificates for other DNS than specified. Can be used multiple times. Only used in combination with
-days=<int>- Number of days the CA is valid for. Defaults to 1825 days (approximately 5 years).
-domain=<string>- The DNS domain of the Consul cluster that agents are configured with. Defaults to
consul. Only used when
-name-constraintis set. Additional domains can be passed with
-name-constraint- Enables X.509 name constraints for the CA. If used, the CA only signs certificates for localhost and the domains specified by
-additional-name-constraint. If Consul's UI is served over HTTPS in your deployment, add its DNS name with
-additional-constraintas well. Defaults to
cluster-id- ID of the Consul cluster. Sets the CA's URI with the SPIFFEID composed of the cluster ID and domain (specified by
common-name- Common Name of CA. Defaults to Consul Agent CA.