HashiConf 2025 Don't miss the live stream of HashiConf Day 2 happening now View live stream
Consul
Consul Home

You are viewing documentation for version v1.18.x. View latest version.

Consul TLS CA Create

Command: consul tls ca create

This command creates a self-signed CA to be used for Consul TLS setup.

Examples

Create a CA:

$ consul tls ca create
==> Saved consul-ca.pem
==> Saved consul-ca-key.pem

Create a CA that signs certificates exclusively for the example.com domain:

$ consul tls ca create -name-constraint -domain example.com
==> Saved example.com-ca.pem
==> Saved example.com-ca-key.pem

Usage

Usage: consul tls ca create [options]

Command Options

  • -additional-name-constraint=<value> - Add name constraints for the CA. Results in rejecting certificates for other DNS than specified. Can be used multiple times. Only used in combination with -name-constraint.

  • -days=<int> - Number of days the CA is valid for. Defaults to 1825 days (approximately 5 years).

  • -domain=<string> - The DNS domain of the Consul cluster that agents are configured with. Defaults to consul. Only used when -name-constraint is set. Additional domains can be passed with -additional-name-constraint.

  • -name-constraint - Enables X.509 name constraints for the CA. If used, the CA only signs certificates for localhost and the domains specified by -domain and -additional-name-constraint. If Consul's UI is served over HTTPS in your deployment, add its DNS name with -additional-constraint as well. Defaults to false.

  • cluster-id - ID of the Consul cluster. Sets the CA's URI with the SPIFFEID composed of the cluster ID and domain (specified by -domain or consul by default).

  • common-name - Common Name of CA. Defaults to Consul Agent CA.