It seems like the component order is reversed. Instead of consul-server-<dcX>, it uses <dcX>-server-consul.
Is this a bug in the code, or bug in the documentation?
root@infra-terraformer:~/consul# consul tls ca create
==> Saved consul-agent-ca.pem
==> Saved consul-agent-ca-key.pem
root@infra-terraformer:~/consul# consul tls cert create -server
==> WARNING: Server Certificates grants authority to become a
server and access all state in the cluster including root keys
and all ACL tokens. Do not distribute them to production hosts
that are not server nodes. Store them as securely as CA keys.
==> Using consul-agent-ca.pem and consul-agent-ca-key.pem
==> Saved dc1-server-consul-0.pem
==> Saved dc1-server-consul-0-key.pem
╭─twolf@stonith ~/workspace/tmp ‹ruby-2.5.1›
╰─➤ consul tls ca create
==> Saved consul-agent-ca.pem
==> Saved consul-agent-ca-key.pem
╭─twolf@stonith ~/workspace/tmp ‹ruby-2.5.1›
╰─➤ consul tls cert create -server
==> WARNING: Server Certificates grants authority to become a
server and access all state in the cluster including root keys
and all ACL tokens. Do not distribute them to production hosts
that are not server nodes. Store them as securely as CA keys.
==> Using consul-agent-ca.pem and consul-agent-ca-key.pem
==> Saved dc1-server-consul-0.pem
==> Saved dc1-server-consul-0-key.pem
[...]
Step 2: Create individual Server Certificates
Create a server certificate for datacenter dc1 and domain consul, if your datacenter or domain is different please use the appropriate flags:
$ consul tls cert create -server
==> WARNING: Server Certificates grants authority to become a
server and access all state in the cluster including root keys
and all ACL tokens. Do not distribute them to production hosts
that are not server nodes. Store them as securely as CA keys.
==> Using consul-agent-ca.pem and consul-agent-ca-key.pem
==> Saved dc1-server-consul-0.pem
==> Saved dc1-server-consul-0-key.pem