kemko/nomad
1
0
Fork 0
mirror of https://github.com/kemko/nomad.git synced 2026-01-01 16:05:42 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
216140255dfc91fd153b583649107316d9d293c6
nomad/website/content/docs/commands/tls/cert-create.mdx
James Rasell 216140255d cli: Do not always add global DNS name to certificate DNS names. (#26086) 
No matter the passed region identifier, the CLI was always adding
"<role>.global.nomad" to the certificate DNS names. This is not
what we expect and has been removed.

While here, the long deprecated cluster-region flag has been
removed. This removal only impacts CLI functionality, so is safe
to do.
2025-06-25 07:35:56 +01:00

82 lines
2.6 KiB
Plaintext
Raw Blame History

---
layout: docs
page_title: 'nomad tls cert create command reference'
description: |
The `nomad tls cert create` command creates a server, client, or command-line interface (CLI) certificate for Transport Layer Security (TLS) configuration in your Nomad cluster.
---
# `nomad tls cert create` command reference
The `tls cert create` command is used to create certificates to be used for
[TLS encryption][] for your Nomad cluster. You can then copy these to your
servers and clients. This command will not automatically update the
configuration of the agents.
## Usage
Usage: `nomad tls cert create [options]`
## Options
- `-additional-dnsname=<string>`: Provide an additional dnsname for Subject
Alternative Names. `localhost` is always included. This flag may be provided
multiple times.
- `-additional-ipaddress=<string>`: Provide an additional ipaddress for Subject
Alternative Names. `127.0.0.1` is always included. This flag may be provided
multiple times.
- `-ca=<string>`: Provide path to the ca. Defaults to `#DOMAIN#-agent-ca.pem`.
- `-cli`: Generate cli certificate.
- `-client`: Generate client certificate.
- `-days=<int>`: Provide number of days the certificate is valid for from now
on. Defaults to 1 year.
- `-domain=<string>`: Provide the domain. Matters only for `-server`
certificates.
- `-key=<string>`: Provide path to the key. Defaults to
`#DOMAIN#-agent-ca-key.pem`.
- `-region=<string>`: Provide the region. Defaults to "global".
- `-server`: Generate server certificate.
## Examples
Create a certificate for servers:
```shell-session
$ nomad tls cert create -server
==> WARNING: Server Certificates grants authority to become a
server and access all state in the cluster including root keys
and all ACL tokens. Do not distribute them to production hosts
that are not server nodes. Store them as securely as CA keys.
==> Using CA file nomad-agent-ca.pem and CA key nomad-agent-ca-key.pem
==> Server Certificate saved to global-server-nomad.pem
==> Server Certificate key saved to global-server-nomad-key.pem
```
Create a certificate for clients:
```shell-session
$ nomad tls cert create -client
==> Using CA file nomad-agent-ca.pem and CA key nomad-agent-ca-key.pem
==> Client Certificate saved to global-client-nomad.pem
==> Client Certificate key saved to global-client-nomad-key.pem
```
Create a certificate for the CLI:
```shell-session
$ nomad tls cert create -cli
==> Using CA file nomad-agent-ca.pem and CA key nomad-agent-ca-key.pem
==> Cli Certificate saved to global-cli-nomad.pem
==> Cli Certificate key saved to global-cli-nomad-key.pem
```
[TLS encryption]: /nomad/tutorials/transport-security/security-enable-tls
Reference in New Issue View Git Blame Copy Permalink