118 lines
3.5 KiB
Plaintext
118 lines
3.5 KiB
Plaintext
---
|
|
layout: commands
|
|
page_title: 'Commands: Connect CA'
|
|
description: >
|
|
The connect CA subcommand is used to view and modify the Connect Certificate
|
|
Authority (CA) configuration.
|
|
---
|
|
|
|
# Consul Connect Certificate Authority (CA)
|
|
|
|
Command: `consul connect ca`
|
|
|
|
The CA connect command is used to interact with Consul Connect's Certificate Authority
|
|
subsystem. The command can be used to view or modify the current CA configuration. See the
|
|
[Connect CA documentation](/docs/connect/ca) for more information.
|
|
|
|
```text
|
|
Usage: consul connect ca <subcommand> [options] [args]
|
|
|
|
This command has subcommands for interacting with Consul Connect's
|
|
Certificate Authority (CA).
|
|
|
|
Here are some simple examples, and more detailed examples are available
|
|
in the subcommands or the documentation.
|
|
|
|
Get the configuration:
|
|
|
|
$ consul connect ca get-config
|
|
|
|
Update the configuration:
|
|
|
|
$ consul connect ca set-config -config-file ca.json
|
|
|
|
For more examples, ask for subcommand help or view the documentation.
|
|
|
|
Subcommands:
|
|
get-config Display the current Connect Certificate Authority (CA) configuration
|
|
set-config Modify the current Connect CA configuration
|
|
```
|
|
|
|
## get-config
|
|
|
|
This command displays the current CA configuration.
|
|
|
|
The table below shows this command's [required ACLs](/api#authentication). Configuration of
|
|
[blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching)
|
|
are not supported from commands, but may be from the corresponding HTTP endpoint.
|
|
|
|
| ACL Required |
|
|
| ---------------- |
|
|
| `operator:write` |
|
|
|
|
Usage: `consul connect ca get-config [options]`
|
|
|
|
Corresponding HTTP API Endpoint: [\[GET\] /v1/connect/ca/configuration](/api-docs/connect/ca#get-ca-configuration)
|
|
|
|
#### API Options
|
|
|
|
@include 'http_api_options_client.mdx'
|
|
|
|
@include 'http_api_options_server.mdx'
|
|
|
|
The output looks like this:
|
|
|
|
```
|
|
{
|
|
"Provider": "consul",
|
|
"Config": {},
|
|
"CreateIndex": 5,
|
|
"ModifyIndex": 197
|
|
}
|
|
```
|
|
|
|
## set-config
|
|
|
|
Modifies the current CA configuration. If this results in a new root certificate
|
|
being used, the [Root Rotation](/docs/connect/ca#root-certificate-rotation) process
|
|
will be triggered.
|
|
|
|
The table below shows this command's [required ACLs](/api#authentication). Configuration of
|
|
[blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching)
|
|
are not supported from commands, but may be from the corresponding HTTP endpoint.
|
|
|
|
| ACL Required |
|
|
| ---------------- |
|
|
| `operator:write` |
|
|
|
|
Usage: `consul connect ca set-config [options]`
|
|
|
|
Corresponding HTTP API Endpoint: [\[PUT\] /v1/connect/ca/configuration](/api-docs/connect/ca#update-ca-configuration)
|
|
|
|
#### API Options
|
|
|
|
@include 'http_api_options_client.mdx'
|
|
|
|
@include 'http_api_options_server.mdx'
|
|
|
|
#### Command Options
|
|
|
|
- `-config-file` - (required) Specifies a JSON-formatted file to use for the new configuration.
|
|
The format of this config file matches the request payload documented in the
|
|
[Update CA Configuration API](/api-docs/connect/ca#update-ca-configuration).
|
|
|
|
- `-force-without-cross-signing` `(bool: <optional>)` - Indicates that the CA change
|
|
should be forced to complete even if the current CA doesn't support cross
|
|
signing. Changing root without cross-signing may cause temporary connection
|
|
failures until the rollout completes. See [Forced Rotation Without
|
|
Cross-Signing](/docs/connect/ca#forced-rotation-without-cross-signing)
|
|
for more detail.
|
|
|
|
The output looks like this:
|
|
|
|
```
|
|
Configuration updated!
|
|
```
|
|
|
|
The return code will indicate success or failure.
|