Consul
Consul TLS CA Create
Command: consul tls ca create
This command create a self signed CA to be used for Consul TLS setup.
Example
Create CA:
$ consul tls ca create
==> Saved consul-ca.pem
==> Saved consul-ca-key.pem
Usage
Usage: consul tls ca create [filename-prefix] [options]
TLS CA Create Options
-additional-name-constraint=<value>
- Add name constraints for the CA. Results in rejecting certificates for other DNS than specified. Can be used multiple times. Only used in combination with-name-constraint
.-days=<int>
- Provide number of days the CA is valid for from now on, defaults to 5 years.-domain=<string>
- Domain of consul cluster. Only used in combination with-name-constraint
. Defaults toconsul
.-name-constraint
- Add name constraints for the CA. Results in rejecting certificates for other DNS than specified. If turned on localhost and -domain will be added to the allowed DNS. If the UI is going to be served over HTTPS its DNS has to be added with-additional-constraint
. It is not possible to add that after the fact! Defaults to false.cluster-id
- ClusterID of the consul cluster, requires-domain
to be set as well. When used this will cause URIs to be set with spiffeid.common-name
- Common Name of CA. Defaults to Consul Agent CA.