open-consul/website/content/commands/connect/ca.mdx

118 lines
3.5 KiB
Plaintext

---
layout: commands
page_title: 'Commands: Connect CA'
description: >
The connect CA subcommand is used to view and modify the Connect Certificate
Authority (CA) configuration.
---
# Consul Connect Certificate Authority (CA)
Command: `consul connect ca`
The CA connect command is used to interact with Consul Connect's Certificate Authority
subsystem. The command can be used to view or modify the current CA configuration. See the
[Connect CA documentation](/docs/connect/ca) for more information.
```text
Usage: consul connect ca <subcommand> [options] [args]
This command has subcommands for interacting with Consul Connect's
Certificate Authority (CA).
Here are some simple examples, and more detailed examples are available
in the subcommands or the documentation.
Get the configuration:
$ consul connect ca get-config
Update the configuration:
$ consul connect ca set-config -config-file ca.json
For more examples, ask for subcommand help or view the documentation.
Subcommands:
get-config Display the current Connect Certificate Authority (CA) configuration
set-config Modify the current Connect CA configuration
```
## get-config
This command displays the current CA configuration.
The table below shows this command's [required ACLs](/api#authentication). Configuration of
[blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching)
are not supported from commands, but may be from the corresponding HTTP endpoint.
| ACL Required |
| ---------------- |
| `operator:write` |
Usage: `consul connect ca get-config [options]`
Corresponding HTTP API Endpoint: [\[GET\] /v1/connect/ca/configuration](/api-docs/connect/ca#get-ca-configuration)
#### API Options
@include 'http_api_options_client.mdx'
@include 'http_api_options_server.mdx'
The output looks like this:
```
{
"Provider": "consul",
"Config": {},
"CreateIndex": 5,
"ModifyIndex": 197
}
```
## set-config
Modifies the current CA configuration. If this results in a new root certificate
being used, the [Root Rotation](/docs/connect/ca#root-certificate-rotation) process
will be triggered.
The table below shows this command's [required ACLs](/api#authentication). Configuration of
[blocking queries](/api-docs/features/blocking) and [agent caching](/api-docs/features/caching)
are not supported from commands, but may be from the corresponding HTTP endpoint.
| ACL Required |
| ---------------- |
| `operator:write` |
Usage: `consul connect ca set-config [options]`
Corresponding HTTP API Endpoint: [\[PUT\] /v1/connect/ca/configuration](/api-docs/connect/ca#update-ca-configuration)
#### API Options
@include 'http_api_options_client.mdx'
@include 'http_api_options_server.mdx'
#### Command Options
- `-config-file` - (required) Specifies a JSON-formatted file to use for the new configuration.
The format of this config file matches the request payload documented in the
[Update CA Configuration API](/api-docs/connect/ca#update-ca-configuration).
- `-force-without-cross-signing` `(bool: <optional>)` - Indicates that the CA change
should be forced to complete even if the current CA doesn't support cross
signing. Changing root without cross-signing may cause temporary connection
failures until the rollout completes. See [Forced Rotation Without
Cross-Signing](/docs/connect/ca#forced-rotation-without-cross-signing)
for more detail.
The output looks like this:
```
Configuration updated!
```
The return code will indicate success or failure.