cli: Do not always add global DNS name to certificate DNS names. (#26086)

No matter the passed region identifier, the CLI was always adding "<role>.global.nomad" to the certificate DNS names. This is not what we expect and has been removed. While here, the long deprecated cluster-region flag has been removed. This removal only impacts CLI functionality, so is safe to do.
2026-01-01 16:05:42 +03:00 · 2025-06-25 07:35:56 +01:00
parent 27da75044e
commit 216140255d
16 changed files with 122 additions and 145 deletions
--- a/.changelog/26086.txt
+++ b/.changelog/26086.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+cli: Fixed a bug in the `tls cert create` command that always added ``"<role>.global.nomad"` to the certificate DNS names, even when the specified region was not ``"global"`.
+```
--- a/command/tls_cert_create.go
+++ b/command/tls_cert_create.go
@@ -39,16 +39,12 @@ type TLSCertCreateCommand struct {
 	// domain is used to provide a custom domain for the certificate.
 	domain string

-	// cluster_region is used to add the region name to the certifacte SAN
-	// records
-	cluster_region string
-
 	// key is used to set the custom CA certificate key when creating
 	// certificates.
 	key string

-	// cluster_region is used to add the region name to the certifacte SAN
-	// records
+	// region is used to add the Nomad region name to the certificate SAN
+	// records.
 	region string

 	server bool
@@ -82,9 +78,6 @@ Certificate Create Options:
  -client
    Generate a client certificate.

-  -cluster-region
-    DEPRECATED please use -region.
-
  -days
    Provide number of days the certificate is valid for from now on.
    Defaults to 1 year.
@@ -141,8 +134,6 @@ func (c *TLSCertCreateCommand) Run(args []string) int {
 	flagSet.StringVar(&c.ca, "ca", "#DOMAIN#-agent-ca.pem", "")
 	flagSet.BoolVar(&c.cli, "cli", false, "")
 	flagSet.BoolVar(&c.client, "client", false, "")
-	// cluster region will be deprecated in the next version
-	flagSet.StringVar(&c.cluster_region, "cluster-region", "", "")
 	flagSet.IntVar(&c.days, "days", 365, "")
 	flagSet.StringVar(&c.domain, "domain", "nomad", "")
 	flagSet.StringVar(&c.key, "key", "#DOMAIN#-agent-ca-key.pem", "")
@@ -176,7 +167,7 @@ func (c *TLSCertCreateCommand) Run(args []string) int {
 	var dnsNames []string
 	var ipAddresses []net.IP
 	var extKeyUsage []x509.ExtKeyUsage
-	var name, regionName, prefix string
+	var name, prefix string

 	for _, d := range c.dnsNames {
 		if len(d) > 0 {
@@ -190,24 +181,21 @@ func (c *TLSCertCreateCommand) Run(args []string) int {
 		}
 	}

-	// set region variable to prepare for deprecating cluster_region
-	switch {
-	case c.cluster_region != "":
-		regionName = c.cluster_region
-	case c.clientConfig().Region != "" && c.clientConfig().Region != "global":
-		regionName = c.clientConfig().Region
-	default:
-		regionName = "global"
+	regionIdentifier := "global"
+
+	if r := c.clientConfig().Region; r != "" {
+		regionIdentifier = r
 	}

-	// Set dnsNames and ipAddresses based on whether this is a client, server or cli
+	// Set dnsNames and ipAddresses based on whether this is a client, server or
+	// cli.
 	switch {
 	case c.server:
-		ipAddresses, dnsNames, name, extKeyUsage, prefix = recordPreparation("server", regionName, c.domain, dnsNames, ipAddresses)
+		ipAddresses, dnsNames, name, extKeyUsage, prefix = recordPreparation("server", regionIdentifier, c.domain, dnsNames, ipAddresses)
 	case c.client:
-		ipAddresses, dnsNames, name, extKeyUsage, prefix = recordPreparation("client", regionName, c.domain, dnsNames, ipAddresses)
+		ipAddresses, dnsNames, name, extKeyUsage, prefix = recordPreparation("client", regionIdentifier, c.domain, dnsNames, ipAddresses)
 	case c.cli:
-		ipAddresses, dnsNames, name, extKeyUsage, prefix = recordPreparation("cli", regionName, c.domain, dnsNames, ipAddresses)
+		ipAddresses, dnsNames, name, extKeyUsage, prefix = recordPreparation("cli", regionIdentifier, c.domain, dnsNames, ipAddresses)
 	default:
 		c.Ui.Error("Neither client, cli nor server - should not happen")
 		return 1
@@ -301,36 +289,29 @@ func (c *TLSCertCreateCommand) Run(args []string) int {
 	return 0
 }

-func recordPreparation(certType string, regionName string, domain string, dnsNames []string, ipAddresses []net.IP) ([]net.IP, []string, string, []x509.ExtKeyUsage, string) {
-	var (
-		extKeyUsage             []x509.ExtKeyUsage
-		name, regionUrl, prefix string
-	)
+func recordPreparation(certType, regionName, domain string, dnsNames []string, ipAddresses []net.IP) (
+	[]net.IP, []string, string, []x509.ExtKeyUsage, string) {
+
+	var extKeyUsage []x509.ExtKeyUsage
+
 	if certType == "server" || certType == "client" {
 		extKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth}
 		ipAddresses = append(ipAddresses, net.ParseIP("127.0.0.1"))
 	} else if certType == "cli" {
 		extKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth}
 	}
-	// prefix is used to generate the filename for the certificate before writing to disk.
-	prefix = fmt.Sprintf("%s-%s-%s", regionName, certType, domain)
-	regionUrl = fmt.Sprintf("%s.%s.nomad", certType, regionName)
-	name = fmt.Sprintf("%s.%s.%s", certType, regionName, domain)

-	if regionName != "global" && domain != "nomad" {
-		dnsNames = append(dnsNames, name, regionUrl, fmt.Sprintf("%s.global.nomad", certType), "localhost")
-	}
+	// Generate the file prefix used to write the certificate and key files to
+	// local disk.
+	prefix := fmt.Sprintf("%s-%s-%s", regionName, certType, domain)

-	if regionName != "global" && domain == "nomad" {
-		dnsNames = append(dnsNames, regionUrl, fmt.Sprintf("%s.global.nomad", certType), "localhost")
-	}
+	// The TLS common name is a combination of the certificate role (server,
+	// client, or cli), the Nomad region name, and the domain.
+	commonName := fmt.Sprintf("%s.%s.%s", certType, regionName, domain)

-	if regionName == "global" && domain != "nomad" {
-		dnsNames = append(dnsNames, regionUrl, fmt.Sprintf("%s.%s.%s", certType, regionName, domain), "localhost")
-	}
+	// Generate a new list of DNS names which includes the original array, the
+	// common name, and "localhost".
+	dnsNames = append(dnsNames, commonName, "localhost")

-	if regionName == "global" && domain == "nomad" {
-		dnsNames = append(dnsNames, name, "localhost")
-	}
-	return ipAddresses, dnsNames, name, extKeyUsage, prefix
+	return ipAddresses, dnsNames, commonName, extKeyUsage, prefix
 }
--- a/command/tls_cert_create_test.go
+++ b/command/tls_cert_create_test.go
@@ -107,7 +107,6 @@ func TestTlsCertCreateCommandDefaults_fileCreate(t *testing.T) {
 			"server.region1.nomad",
 			[]string{
 				"server.region1.nomad",
-				"server.global.nomad",
 				"localhost",
 			},
 			[]net.IP{{127, 0, 0, 1}},
@@ -217,7 +216,6 @@ func TestTlsRecordPreparation(t *testing.T) {
 			expectedipAddresses: []net.IP{net.ParseIP("127.0.0.1")},
 			expectedDNSNames: []string{
 				"server.region1.nomad",
-				"server.global.nomad",
 				"localhost",
 			},
 			expectedName:        "server.region1.nomad",
@@ -233,7 +231,6 @@ func TestTlsRecordPreparation(t *testing.T) {
 			ipAddresses:         []string{},
 			expectedipAddresses: []net.IP{net.ParseIP("127.0.0.1")},
 			expectedDNSNames: []string{
-				"server.global.nomad",
 				"server.global.domain1",
 				"localhost",
 			},
--- a/helper/tlsutil/testdata/badRegion-client-bad-key.pem
+++ b/helper/tlsutil/testdata/badRegion-client-bad-key.pem
@@ -1,5 +1,5 @@
 -----BEGIN EC PRIVATE KEY-----
-MHcCAQEEIEbr9QQxvZRlT+WFHAZnw/pwsNhGkbHVtkRWSTfYh0GtoAoGCCqGSM49
-AwEHoUQDQgAEdmOVwqDMhWyP/YXJekbyILsk4CV6L9W0mK3MjD148g0XjhT8yDUL
-FHFqm8bNNAO+gBbI1EDS8TpHIWtiQ86QSg==
+MHcCAQEEIKk8d2emRn2ogBXZY6vrZzN/LWr0+nloUfUDVaTMa25ooAoGCCqGSM49
+AwEHoUQDQgAEyHsxg78wuPB8FG45YJIjDy5XNvkRuF7kge3Qto2NMUObdXlpYEBM
+kBi5s5ow4Bqjp9LpQFT77Ts+xpFqZ3mi2A==
 -----END EC PRIVATE KEY-----
--- a/helper/tlsutil/testdata/badRegion-client-bad.pem
+++ b/helper/tlsutil/testdata/badRegion-client-bad.pem
@@ -1,18 +1,17 @@
 -----BEGIN CERTIFICATE-----
-MIICzzCCAnWgAwIBAgIRAIFUltA5xgNPcFFlo2aKtIcwCgYIKoZIzj0EAwIwgbgx
+MIICozCCAkigAwIBAgIRAPZum3AsvBr+eZ5eX1cBrtcwCgYIKoZIzj0EAwIwgbgx
 CzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNj
 bzEaMBgGA1UECRMRMTAxIFNlY29uZCBTdHJlZXQxDjAMBgNVBBETBTk0MTA1MRcw
 FQYDVQQKEw5IYXNoaUNvcnAgSW5jLjE/MD0GA1UEAxM2Tm9tYWQgQWdlbnQgQ0Eg
-MTU5MTUzODQ3MzA3OTM3NDc0Mzk0MzkzMDI3NzEwMTg0MTQxNTA4MB4XDTI1MDUw
-MjEyMDc1OVoXDTI2MDUwMjEyMDc1OVowHzEdMBsGA1UEAxMUY2xpZW50LmJhZFJl
-Z2lvbi5iYWQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR2Y5XCoMyFbI/9hcl6
-RvIguyTgJXov1bSYrcyMPXjyDReOFPzINQsUcWqbxs00A76AFsjUQNLxOkcha2JD
-zpBKo4H3MIH0MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
-KwYBBQUHAwIwDAYDVR0TAQH/BAIwADApBgNVHQ4EIgQgWG3m916eQoU94ufqaBPi
-812f+iKn0HmqJ0hdqjxjxGMwKwYDVR0jBCQwIoAgCFCUC6vPCT2XDvuGJ7CFIuRI
-p68R+n3y0VB8/nBfe9owXQYDVR0RBFYwVIIUY2xpZW50LmJhZFJlZ2lvbi5iYWSC
-FmNsaWVudC5iYWRSZWdpb24ubm9tYWSCE2NsaWVudC5nbG9iYWwubm9tYWSCCWxv
-Y2FsaG9zdIcEfwAAATAKBggqhkjOPQQDAgNIADBFAiEApczLizCiPhkoDDOzouO0
-z5XsRN0z60srWf+1cfU9A34CIGQnoGDM943exxkQQe6ZBI6BR1nfB/IemxNlvrMs
-K+s4
+MTU5MTUzODQ3MzA3OTM3NDc0Mzk0MzkzMDI3NzEwMTg0MTQxNTA4MB4XDTI1MDYy
+MDEyNTI0MFoXDTI2MDYyMDEyNTI0MFowHzEdMBsGA1UEAxMUY2xpZW50LmJhZFJl
+Z2lvbi5iYWQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATIezGDvzC48HwUbjlg
+kiMPLlc2+RG4XuSB7dC2jY0xQ5t1eWlgQEyQGLmzmjDgGqOn0ulAVPvtOz7GkWpn
+eaLYo4HKMIHHMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
+KwYBBQUHAwIwDAYDVR0TAQH/BAIwADApBgNVHQ4EIgQgEd/0T23L8jJLRtwWl1+5
+qYyBqm9nlfsIZm+vaYBSVPYwKwYDVR0jBCQwIoAgCFCUC6vPCT2XDvuGJ7CFIuRI
+p68R+n3y0VB8/nBfe9owMAYDVR0RBCkwJ4IUY2xpZW50LmJhZFJlZ2lvbi5iYWSC
+CWxvY2FsaG9zdIcEfwAAATAKBggqhkjOPQQDAgNJADBGAiEAyTdYI/7s5tY+RJjz
+5n/jBPyISA+trpcXwYNJ4qQbo+wCIQDuYlit9Gi9DLkLgGd8vsvcLy+j3b9qBE3Y
+r08brTf1zQ==
 -----END CERTIFICATE-----
--- a/helper/tlsutil/testdata/badRegion-server-bad-key.pem
+++ b/helper/tlsutil/testdata/badRegion-server-bad-key.pem
@@ -1,5 +1,5 @@
 -----BEGIN EC PRIVATE KEY-----
-MHcCAQEEIJXs4LOqeaYEyWLjc/d1dyDMfgIU5UQRxcVoRivOPMcioAoGCCqGSM49
-AwEHoUQDQgAEdffb4T11XNYkIMJHawSigBhGRGw8cD9TB663nWG8AgWh/V9uk9mw
-yWcoRETDx7Y4athINsD66fRwelKNN/SMnw==
+MHcCAQEEIFYpihoMQZc5KiQnRhbjuG3Z3Zz+6CZmPBrlGnL2ISrWoAoGCCqGSM49
+AwEHoUQDQgAESOj4nVa+vZO7V/LZN+mPl3iIgYhFciOrSTJhy4qjQgOqo/PTH6jZ
+U7lRHNDSMGUPATbqapL/tlv19UB3Bkuvdg==
 -----END EC PRIVATE KEY-----
--- a/helper/tlsutil/testdata/badRegion-server-bad.pem
+++ b/helper/tlsutil/testdata/badRegion-server-bad.pem
@@ -1,18 +1,17 @@
 -----BEGIN CERTIFICATE-----
-MIICzzCCAnSgAwIBAgIQa3qvui9MXrlD1JulWcYlGjAKBggqhkjOPQQDAjCBuDEL
+MIICoDCCAkegAwIBAgIQEA4wMi/TMrcu3WC6wB+1CjAKBggqhkjOPQQDAjCBuDEL
 MAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2Nv
 MRowGAYDVQQJExExMDEgU2Vjb25kIFN0cmVldDEOMAwGA1UEERMFOTQxMDUxFzAV
 BgNVBAoTDkhhc2hpQ29ycCBJbmMuMT8wPQYDVQQDEzZOb21hZCBBZ2VudCBDQSAx
-NTkxNTM4NDczMDc5Mzc0NzQzOTQzOTMwMjc3MTAxODQxNDE1MDgwHhcNMjUwNTAy
-MTIwNzU5WhcNMjYwNTAyMTIwNzU5WjAfMR0wGwYDVQQDExRzZXJ2ZXIuYmFkUmVn
-aW9uLmJhZDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABHX32+E9dVzWJCDCR2sE
-ooAYRkRsPHA/Uweut51hvAIFof1fbpPZsMlnKEREw8e2OGrYSDbA+un0cHpSjTf0
-jJ+jgfcwgfQwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
-BgEFBQcDAjAMBgNVHRMBAf8EAjAAMCkGA1UdDgQiBCAZeiGRew0bfMMbbJ+U5dHS
-dfGgA+rI+aqUj25tDSlmDzArBgNVHSMEJDAigCAIUJQLq88JPZcO+4YnsIUi5Ein
-rxH6ffLRUHz+cF972jBdBgNVHREEVjBUghRzZXJ2ZXIuYmFkUmVnaW9uLmJhZIIW
-c2VydmVyLmJhZFJlZ2lvbi5ub21hZIITc2VydmVyLmdsb2JhbC5ub21hZIIJbG9j
-YWxob3N0hwR/AAABMAoGCCqGSM49BAMCA0kAMEYCIQDzIf0rL1FAYn5KSxhfVKdJ
-dGkYqeiL9YUsAw72uFxHbgIhAKqK1JNRv53rBAjzmjZJw/5Xn7TE8nnbDuYyKnxG
-S7eT
+NTkxNTM4NDczMDc5Mzc0NzQzOTQzOTMwMjc3MTAxODQxNDE1MDgwHhcNMjUwNjIw
+MTI1MjQwWhcNMjYwNjIwMTI1MjQwWjAfMR0wGwYDVQQDExRzZXJ2ZXIuYmFkUmVn
+aW9uLmJhZDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABEjo+J1Wvr2Tu1fy2Tfp
+j5d4iIGIRXIjq0kyYcuKo0IDqqPz0x+o2VO5URzQ0jBlDwE26mqS/7Zb9fVAdwZL
+r3ajgcowgccwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
+BgEFBQcDAjAMBgNVHRMBAf8EAjAAMCkGA1UdDgQiBCBa/ZDAdDv0vC8t//nHWvq3
+3xY+0Zp76TtJ27abvhOmazArBgNVHSMEJDAigCAIUJQLq88JPZcO+4YnsIUi5Ein
+rxH6ffLRUHz+cF972jAwBgNVHREEKTAnghRzZXJ2ZXIuYmFkUmVnaW9uLmJhZIIJ
+bG9jYWxob3N0hwR/AAABMAoGCCqGSM49BAMCA0cAMEQCIHJuKQNm4jgAx++eOL84
+mrUWBEaezWpk2efZLcPdGsWSAiA3R80THTDKwlzpspVqggvyNRbk+k7cYQRr4pcY
+ty6nBQ==
 -----END CERTIFICATE-----
--- a/helper/tlsutil/testdata/global-client-nomad-key.pem
+++ b/helper/tlsutil/testdata/global-client-nomad-key.pem
@@ -1,5 +1,5 @@
 -----BEGIN EC PRIVATE KEY-----
-MHcCAQEEIJShzvcArPG0/VBQBenDVEOdlqK0c05GOZsK7+lwynMcoAoGCCqGSM49
-AwEHoUQDQgAETXS/uB8i2LnrhIkHS9zjVEa14CAkz53QZPIEKpwIbF1OxcVWhXkx
-rpSc2JQpERbIDAIvHkqsZbAjVQU9hmvrvg==
+MHcCAQEEID5Gr6PKtaffTAmqejQXR+NGXMAcCulRLf86TVs577Q+oAoGCCqGSM49
+AwEHoUQDQgAEyo1HmrxdII2+L5TyY9jPluzo031FF6BC5VXaP8PbPnD1G49vlm7Q
+W0xVOqKUwJF5MnrXfzoBnTZcdIrPruuDdw==
 -----END EC PRIVATE KEY-----
--- a/helper/tlsutil/testdata/global-client-nomad.pem
+++ b/helper/tlsutil/testdata/global-client-nomad.pem
@@ -1,17 +1,17 @@
 -----BEGIN CERTIFICATE-----
-MIICoDCCAkWgAwIBAgIQJsb/Lvp0/3ZYEmdrXK5s6TAKBggqhkjOPQQDAjCBuDEL
-MAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2Nv
-MRowGAYDVQQJExExMDEgU2Vjb25kIFN0cmVldDEOMAwGA1UEERMFOTQxMDUxFzAV
-BgNVBAoTDkhhc2hpQ29ycCBJbmMuMT8wPQYDVQQDEzZOb21hZCBBZ2VudCBDQSAy
-NjIwNjI1NjE0NTQ4NDA3MDEwNjQ0NzU5ODQyMjMzMTQ1NDI2NzIwHhcNMjUwNTAy
-MTIwNjIyWhcNMjYwNTAyMTIwNjIyWjAeMRwwGgYDVQQDExNjbGllbnQuZ2xvYmFs
-Lm5vbWFkMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAETXS/uB8i2LnrhIkHS9zj
-VEa14CAkz53QZPIEKpwIbF1OxcVWhXkxrpSc2JQpERbIDAIvHkqsZbAjVQU9hmvr
-vqOByTCBxjAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
-AQUFBwMCMAwGA1UdEwEB/wQCMAAwKQYDVR0OBCIEIFACuyxFeOccwzTiOpsf2kz2
-170j7ksaJcdvmDBIcl89MCsGA1UdIwQkMCKAIDVSNgVCiLhcb7DNl8fNlceCmoDH
-eNrYzpWdMHHtwcQcMC8GA1UdEQQoMCaCE2NsaWVudC5nbG9iYWwubm9tYWSCCWxv
-Y2FsaG9zdIcEfwAAATAKBggqhkjOPQQDAgNJADBGAiEA4ixue8guhYI9c7E0wlDF
-zYIeopTlFnrDGbrd7FPqDSECIQDFly6cAQ9mQejWEzsdv520jc71U3UC77lcdLbs
-4d/y0A==
+MIICoTCCAkagAwIBAgIRAN/p3iuXI/+dJX3wshZUwyAwCgYIKoZIzj0EAwIwgbgx
+CzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNj
+bzEaMBgGA1UECRMRMTAxIFNlY29uZCBTdHJlZXQxDjAMBgNVBBETBTk0MTA1MRcw
+FQYDVQQKEw5IYXNoaUNvcnAgSW5jLjE/MD0GA1UEAxM2Tm9tYWQgQWdlbnQgQ0Eg
+MjYyMDYyNTYxNDU0ODQwNzAxMDY0NDc1OTg0MjIzMzE0NTQyNjcyMB4XDTI1MDYy
+MDEyNTA1NloXDTI2MDYyMDEyNTA1NlowHjEcMBoGA1UEAxMTY2xpZW50Lmdsb2Jh
+bC5ub21hZDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABMqNR5q8XSCNvi+U8mPY
+z5bs6NN9RRegQuVV2j/D2z5w9RuPb5Zu0FtMVTqilMCReTJ61386AZ02XHSKz67r
+g3ejgckwgcYwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
+BgEFBQcDAjAMBgNVHRMBAf8EAjAAMCkGA1UdDgQiBCAaW8uBoxrKhEjNXKEPXiMr
+nQaDH9Npipl/CCP1V+CrlzArBgNVHSMEJDAigCA1UjYFQoi4XG+wzZfHzZXHgpqA
+x3ja2M6VnTBx7cHEHDAvBgNVHREEKDAmghNjbGllbnQuZ2xvYmFsLm5vbWFkggls
+b2NhbGhvc3SHBH8AAAEwCgYIKoZIzj0EAwIDSQAwRgIhAJIUMdRmMJSi3hT5PU/W
+G0hJJG8Vxh7VT8ebNxnz9VhGAiEAnfBPT+JsgEMqlX7nZPFGhoOKIOfuozaWSbBz
+hAsns14=
 -----END CERTIFICATE-----
--- a/helper/tlsutil/testdata/global-server-nomad-key.pem
+++ b/helper/tlsutil/testdata/global-server-nomad-key.pem
@@ -1,5 +1,5 @@
 -----BEGIN EC PRIVATE KEY-----
-MHcCAQEEIHtMohNhWUCJ7+5iEFE0xVcmjO+8HtZ/Xy6YTraBykZooAoGCCqGSM49
-AwEHoUQDQgAEG0x5ksFPi1LA4pDOewaYaMXE5ML9vmYaOttoFbgRfaSowSBx6wpa
-fN6b565RRhRuPkI8eQa6hwSJL1JSlBwdhQ==
+MHcCAQEEIF7gRiwEqYZhlloKsMyAMZ0zynvDVyUimEAEnI43z7/RoAoGCCqGSM49
+AwEHoUQDQgAEQ1wTyHo3vjISeiL5ql7e03zUYeQRTdl2iOeqfTyn6dITR0mgsPe/
+qzPhlGMlW+/2aFkIvmvkD0JumTu6wIPqyQ==
 -----END EC PRIVATE KEY-----
--- a/helper/tlsutil/testdata/global-server-nomad.pem
+++ b/helper/tlsutil/testdata/global-server-nomad.pem
@@ -1,17 +1,17 @@
 -----BEGIN CERTIFICATE-----
-MIICnzCCAkWgAwIBAgIQVReOD344n4OOValJVWIapjAKBggqhkjOPQQDAjCBuDEL
+MIICnzCCAkWgAwIBAgIQHj3goiF3rxOXBp5KyJPVuDAKBggqhkjOPQQDAjCBuDEL
 MAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2Nv
 MRowGAYDVQQJExExMDEgU2Vjb25kIFN0cmVldDEOMAwGA1UEERMFOTQxMDUxFzAV
 BgNVBAoTDkhhc2hpQ29ycCBJbmMuMT8wPQYDVQQDEzZOb21hZCBBZ2VudCBDQSAy
-NjIwNjI1NjE0NTQ4NDA3MDEwNjQ0NzU5ODQyMjMzMTQ1NDI2NzIwHhcNMjUwNTAy
-MTIwNjIyWhcNMjYwNTAyMTIwNjIyWjAeMRwwGgYDVQQDExNzZXJ2ZXIuZ2xvYmFs
-Lm5vbWFkMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEG0x5ksFPi1LA4pDOewaY
-aMXE5ML9vmYaOttoFbgRfaSowSBx6wpafN6b565RRhRuPkI8eQa6hwSJL1JSlBwd
-haOByTCBxjAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
-AQUFBwMCMAwGA1UdEwEB/wQCMAAwKQYDVR0OBCIEIDj3UwkShqXCLRBqp8AztARh
-PgpKwXTXs8HV12AegN8YMCsGA1UdIwQkMCKAIDVSNgVCiLhcb7DNl8fNlceCmoDH
+NjIwNjI1NjE0NTQ4NDA3MDEwNjQ0NzU5ODQyMjMzMTQ1NDI2NzIwHhcNMjUwNjIw
+MTI1MDU2WhcNMjYwNjIwMTI1MDU2WjAeMRwwGgYDVQQDExNzZXJ2ZXIuZ2xvYmFs
+Lm5vbWFkMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEQ1wTyHo3vjISeiL5ql7e
+03zUYeQRTdl2iOeqfTyn6dITR0mgsPe/qzPhlGMlW+/2aFkIvmvkD0JumTu6wIPq
+yaOByTCBxjAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
+AQUFBwMCMAwGA1UdEwEB/wQCMAAwKQYDVR0OBCIEIFUATGblzDY9ZPhh2Hxqtcq9
+Ik/SOt+csC4sbDlHx0bAMCsGA1UdIwQkMCKAIDVSNgVCiLhcb7DNl8fNlceCmoDH
 eNrYzpWdMHHtwcQcMC8GA1UdEQQoMCaCE3NlcnZlci5nbG9iYWwubm9tYWSCCWxv
-Y2FsaG9zdIcEfwAAATAKBggqhkjOPQQDAgNIADBFAiBLWW+t+HR8pFlisUXF8fVQ
-vGvw5Q3zzuMmghNdMfulqAIhAJLT64jAXQFmFNeJpMMQO7NbhV1cLHf8tXo2GOCE
-ipU0
+Y2FsaG9zdIcEfwAAATAKBggqhkjOPQQDAgNIADBFAiBi9n1J2vwM4Eh18pY9qdZd
+28h+3cpQYbFGLCcEjknXgQIhAPPxdhNbQ6fyuwDrkbF/gOUftTUtNhhpO8DY3Zjv
+mTMt
 -----END CERTIFICATE-----
--- a/helper/tlsutil/testdata/regionFoo-client-nomad-key.pem
+++ b/helper/tlsutil/testdata/regionFoo-client-nomad-key.pem
@@ -1,5 +1,5 @@
 -----BEGIN EC PRIVATE KEY-----
-MHcCAQEEIIti9mUkwepjy83t+p4sR2vt+1LoWDBTB5XxOu5k3LHzoAoGCCqGSM49
-AwEHoUQDQgAEu5MA5D0M20MnluzjwAPH3taoSNGdpEFOgED2m5o+G1yWnBu5YaHu
-Hx6xsGyvyAT1GZ2BZiMVY8aQPPUpBvdHTQ==
+MHcCAQEEIC6Zb2A2b0eHOL1P0TreEeyyPhF7ga4tHRQy1oBPENmDoAoGCCqGSM49
+AwEHoUQDQgAEDkAbolF7vLkCF/cNglYmBP3TK6TwpwSTR60AneZKyXLY9ZjQND17
+X9avu80cyJkktcKMXMDV2iHowPxWmlxAjA==
 -----END EC PRIVATE KEY-----
--- a/helper/tlsutil/testdata/regionFoo-client-nomad.pem
+++ b/helper/tlsutil/testdata/regionFoo-client-nomad.pem
@@ -1,17 +1,17 @@
 -----BEGIN CERTIFICATE-----
-MIICuzCCAmGgAwIBAgIRAPnUAMiIhB6p3fddfmZQliMwCgYIKoZIzj0EAwIwgbgx
+MIICpjCCAkygAwIBAgIRAL9bNTwXnAjd6l7LeWLFpucwCgYIKoZIzj0EAwIwgbgx
 CzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNj
 bzEaMBgGA1UECRMRMTAxIFNlY29uZCBTdHJlZXQxDjAMBgNVBBETBTk0MTA1MRcw
 FQYDVQQKEw5IYXNoaUNvcnAgSW5jLjE/MD0GA1UEAxM2Tm9tYWQgQWdlbnQgQ0Eg
-MjYyMDYyNTYxNDU0ODQwNzAxMDY0NDc1OTg0MjIzMzE0NTQyNjcyMB4XDTI1MDUw
-MjEyMDk0NFoXDTI2MDUwMjEyMDk0NFowITEfMB0GA1UEAxMWY2xpZW50LnJlZ2lv
-bkZvby5ub21hZDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABLuTAOQ9DNtDJ5bs
-48ADx97WqEjRnaRBToBA9puaPhtclpwbuWGh7h8esbBsr8gE9RmdgWYjFWPGkDz1
-KQb3R02jgeEwgd4wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB
-BggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMCkGA1UdDgQiBCBHcLp6utfmnR9b8wvt
-7QDzBzd/s4PGriiFaZfAHSZlQzArBgNVHSMEJDAigCA1UjYFQoi4XG+wzZfHzZXH
-gpqAx3ja2M6VnTBx7cHEHDBHBgNVHREEQDA+ghZjbGllbnQucmVnaW9uRm9vLm5v
-bWFkghNjbGllbnQuZ2xvYmFsLm5vbWFkgglsb2NhbGhvc3SHBH8AAAEwCgYIKoZI
-zj0EAwIDSAAwRQIgdOu1JQrrMH43dbFFsbxETXQr2USdq6ZJ0WBOkd/mTGkCIQDl
-lNgf8BQsbnOSNT+ZpiIk00ifUVvpHNnnL2Pv3OZmGA==
+MjYyMDYyNTYxNDU0ODQwNzAxMDY0NDc1OTg0MjIzMzE0NTQyNjcyMB4XDTI1MDYy
+MDEyNTEyMFoXDTI2MDYyMDEyNTEyMFowITEfMB0GA1UEAxMWY2xpZW50LnJlZ2lv
+bkZvby5ub21hZDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABA5AG6JRe7y5Ahf3
+DYJWJgT90yuk8KcEk0etAJ3mSsly2PWY0DQ9e1/Wr7vNHMiZJLXCjFzA1doh6MD8
+VppcQIyjgcwwgckwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB
+BggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMCkGA1UdDgQiBCD1NbLrtvFb+0vhwdb+
+Y+9FKsZKypoqQBy1Wgu4GMv+XDArBgNVHSMEJDAigCA1UjYFQoi4XG+wzZfHzZXH
+gpqAx3ja2M6VnTBx7cHEHDAyBgNVHREEKzApghZjbGllbnQucmVnaW9uRm9vLm5v
+bWFkgglsb2NhbGhvc3SHBH8AAAEwCgYIKoZIzj0EAwIDSAAwRQIgNIS7OemovXSg
+gShooyH9s/6/KDhE7hBWP80tkfU9VTkCIQC6lYDoq2IPaL0pqzFy1Z5BUdIeTUJh
+PYKQ8PrLAbNJLQ==
 -----END CERTIFICATE-----
--- a/helper/tlsutil/testdata/regionFoo-server-nomad-key.pem
+++ b/helper/tlsutil/testdata/regionFoo-server-nomad-key.pem
@@ -1,5 +1,5 @@
 -----BEGIN EC PRIVATE KEY-----
-MHcCAQEEIPpZY+Oy7aj127fsvANb9bQCJ+X6jPZLgXC6RrrozjzioAoGCCqGSM49
-AwEHoUQDQgAErhTVsvE0FIT66/kZfrP4se5sTxZK60BVoCCuQOKBW47VUgZbIjjF
-zhoSCyXko3Z1NET7FxwyOSGjdXOF5m5yZA==
+MHcCAQEEIAL8PR3BeBaVaAalDh3RkusdUjyVIHR+OGYRXTVOKEdcoAoGCCqGSM49
+AwEHoUQDQgAEK8IsGS6VJdf1Ik14y+PgBOZdVJRZDlKFlvU0isVEnoSAmmFjoZpT
+wgTAf0QdoCwlfakwqljmbmE5E/QrA3ySCw==
 -----END EC PRIVATE KEY-----
--- a/helper/tlsutil/testdata/regionFoo-server-nomad.pem
+++ b/helper/tlsutil/testdata/regionFoo-server-nomad.pem
@@ -1,17 +1,17 @@
 -----BEGIN CERTIFICATE-----
-MIICuzCCAmGgAwIBAgIRAJ2sg8BGYUbhmhraFRZIXhgwCgYIKoZIzj0EAwIwgbgx
+MIICpzCCAkygAwIBAgIRAOgSVlcFdzGslL3laKW29Z0wCgYIKoZIzj0EAwIwgbgx
 CzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNj
 bzEaMBgGA1UECRMRMTAxIFNlY29uZCBTdHJlZXQxDjAMBgNVBBETBTk0MTA1MRcw
 FQYDVQQKEw5IYXNoaUNvcnAgSW5jLjE/MD0GA1UEAxM2Tm9tYWQgQWdlbnQgQ0Eg
-MjYyMDYyNTYxNDU0ODQwNzAxMDY0NDc1OTg0MjIzMzE0NTQyNjcyMB4XDTI1MDUw
-MjEyMDk0M1oXDTI2MDUwMjEyMDk0M1owITEfMB0GA1UEAxMWc2VydmVyLnJlZ2lv
-bkZvby5ub21hZDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABK4U1bLxNBSE+uv5
-GX6z+LHubE8WSutAVaAgrkDigVuO1VIGWyI4xc4aEgsl5KN2dTRE+xccMjkho3Vz
-heZucmSjgeEwgd4wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB
-BggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMCkGA1UdDgQiBCCl/G2fQsqZaGSzTY6Y
-szXpu5V6d0k1XbVa9xrjksEmzDArBgNVHSMEJDAigCA1UjYFQoi4XG+wzZfHzZXH
-gpqAx3ja2M6VnTBx7cHEHDBHBgNVHREEQDA+ghZzZXJ2ZXIucmVnaW9uRm9vLm5v
-bWFkghNzZXJ2ZXIuZ2xvYmFsLm5vbWFkgglsb2NhbGhvc3SHBH8AAAEwCgYIKoZI
-zj0EAwIDSAAwRQIhALMTV8TEhQ4gAni39w26nxrtKYJCTTST12oATeOvhq70AiBw
-yKcrkJuD0p4F9+0Z9NC0CiindYtn+3mWGmDb5ohOmw==
+MjYyMDYyNTYxNDU0ODQwNzAxMDY0NDc1OTg0MjIzMzE0NTQyNjcyMB4XDTI1MDYy
+MDEyNTEyMFoXDTI2MDYyMDEyNTEyMFowITEfMB0GA1UEAxMWc2VydmVyLnJlZ2lv
+bkZvby5ub21hZDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABCvCLBkulSXX9SJN
+eMvj4ATmXVSUWQ5ShZb1NIrFRJ6EgJphY6GaU8IEwH9EHaAsJX2pMKpY5m5hORP0
+KwN8kgujgcwwgckwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB
+BggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMCkGA1UdDgQiBCBf0aPAgkM3OB1at2BG
+IkN+gpuXXNToVgdtVc39cGAAbTArBgNVHSMEJDAigCA1UjYFQoi4XG+wzZfHzZXH
+gpqAx3ja2M6VnTBx7cHEHDAyBgNVHREEKzApghZzZXJ2ZXIucmVnaW9uRm9vLm5v
+bWFkgglsb2NhbGhvc3SHBH8AAAEwCgYIKoZIzj0EAwIDSQAwRgIhAICI9TqZTmd5
+t9Pc99FyOhEYb0Ql8djO/3XdeLOQa91lAiEAkMU2sSheRbUZCa5GAQlHNYPsUs50
+qgTsuoR6u4512rw=
 -----END CERTIFICATE-----
--- a/website/content/docs/commands/tls/cert-create.mdx
+++ b/website/content/docs/commands/tls/cert-create.mdx
@@ -35,8 +35,6 @@ Usage: `nomad tls cert create [options]`
 - `-days=<int>`: Provide number of days the certificate is valid for from now
  on. Defaults to 1 year.

- `-cluster-region=<string>`: DEPRECATED please use `-region`.
-
 - `-domain=<string>`: Provide the domain. Matters only for `-server`
  certificates.