From 694a6c03e50080bbdba418af8aaf98b50d55150d Mon Sep 17 00:00:00 2001 From: "R.B. Boyer" Date: Mon, 18 May 2020 12:01:14 -0500 Subject: [PATCH] docs: update the 'consul tls' command docs to match the current flags (#7911) --- website/pages/docs/commands/tls/ca.mdx | 13 ++++++++++ website/pages/docs/commands/tls/cert.mdx | 32 ++++++++++++++++-------- 2 files changed, 35 insertions(+), 10 deletions(-) diff --git a/website/pages/docs/commands/tls/ca.mdx b/website/pages/docs/commands/tls/ca.mdx index cfacfe1d3..6e73de0be 100644 --- a/website/pages/docs/commands/tls/ca.mdx +++ b/website/pages/docs/commands/tls/ca.mdx @@ -26,4 +26,17 @@ Usage: `consul tls ca create [filename-prefix] [options]` #### TLS CA Create Options +- `-additional-name-constraint=` - Add name constraints for the CA. + Results in rejecting certificates for other DNS than specified. Can be used + multiple times. Only used in combination with `-name-constraint`. + - `-days=` - Provide number of days the CA is valid for from now on, defaults to 5 years. + +- `-domain=` - Domain of consul cluster. Only used in combination with + `-name-constraint`. Defaults to `consul`. + +- `-name-constraint` - Add name constraints for the CA. Results in rejecting + certificates for other DNS than specified. If turned on localhost and -domain + will be added to the allowed DNS. If the UI is going to be served over HTTPS + its DNS has to be added with `-additional-constraint`. It is not possible to + add that after the fact! Defaults to false. diff --git a/website/pages/docs/commands/tls/cert.mdx b/website/pages/docs/commands/tls/cert.mdx index 76eb058b7..8b15eaf7f 100644 --- a/website/pages/docs/commands/tls/cert.mdx +++ b/website/pages/docs/commands/tls/cert.mdx @@ -50,22 +50,34 @@ Usage: `consul tls cert create [filename-prefix] [options]` #### TLS Cert Create Options -- `-additional-dnsname=` - Provide additional dnsname for Subject Alternative Names. +- `-additional-dnsname=` - Provide an additional dnsname for Subject + Alternative Names. localhost is always included. This flag may be provided + multiple times. -- `-additional-ipaddress=` - Provide additional ipaddress for Subject Alternative Names. +- `-additional-ipaddress=` - Provide an additional ipaddress for + Subject Alternative Names. `127.0.0.1` is always included. This flag may be + provided multiple times. -- `-ca=` - Provide path to the ca +- `-ca=` - Provide path to the ca. Defaults to `#DOMAIN#-agent-ca.pem`. -- `-cli` - Generate cli certificate +- `-cli` - Generate cli certificate. -- `-client` - Generate client certificate +- `-client` - Generate client certificate. -- `-days=` - Provide number of days the certificate is valid for from now on. +- `-days=` - Provide number of days the certificate is valid for from now + on. Defaults to 1 year. -- `-dc=` - Provide the datacenter. Matters only for -server certificates +- `-dc=` - Provide the datacenter. Matters only for `-server` + certificates. Defaults to `dc1`. -- `-domain=` - Provide the domain. Matters only for -server certificates +- `-domain=` - Provide the domain. Matters only for `-server` + certificates. -- `-key=` - Provide path to the key +- `-key=` - Provide path to the key. Defaults to + `#DOMAIN#-agent-ca-key.pem`. -- `-server` - Generate server certificate +- `-node=` - When generating a server cert and this is set an + additional dns name is included of the form + `.server..`. + +- `-server` - Generate server certificate.