--- layout: commands page_title: 'Commands: TLS CA Create' description: | The `consul tls ca create` command creates a self-signed certificate authority (CA) for TLS setup. --- # Consul TLS CA Create Command: `consul tls ca create` This command create a self signed CA to be used for Consul TLS setup. ## Example Create CA: ```shell-session $ consul tls ca create ==> Saved consul-ca.pem ==> Saved consul-ca-key.pem ``` ## Usage Usage: `consul tls ca create [filename-prefix] [options]` #### Command Options - `-additional-name-constraint=` - Add name constraints for the CA. Results in rejecting certificates for other DNS than specified. Can be used multiple times. Only used in combination with `-name-constraint`. - `-days=` - Provide number of days the CA is valid for from now on, defaults to 5 years. - `-domain=` - Domain of consul cluster. Only used in combination with `-name-constraint`. Defaults to `consul`. - `-name-constraint` - Add name constraints for the CA. Results in rejecting certificates for other DNS than specified. If turned on localhost and -domain will be added to the allowed DNS. If the UI is going to be served over HTTPS its DNS has to be added with `-additional-constraint`. It is not possible to add that after the fact! Defaults to false. - `cluster-id` - ClusterID of the consul cluster, requires `-domain` to be set as well. When used this will cause URIs to be set with spiffeid. - `common-name` - Common Name of CA. Defaults to Consul Agent CA.