2018-06-24 16:55:26 -05:00
---
2020-04-07 14:55:19 -04:00
layout: docs
2022-09-16 10:28:32 -05:00
page_title: Certificate Authority - Built-in Service Mesh CA
2020-04-07 14:55:19 -04:00
description: >-
2022-09-16 10:28:32 -05:00
Consul has a built-in service mesh certificate authority that can be used to secure your service mesh without needing a separate CA system. Learn how to configure the built-in service mesh CA as a root CA or an intermediate CA connected to an existing PKI system.
2018-06-24 16:55:26 -05:00
---
2022-09-13 15:30:45 -05:00
# Built-In Certificate Authority for Service Mesh
2018-06-24 16:55:26 -05:00
2023-05-05 13:41:40 -04:00
Consul ships with a built-in CA system so that service mesh can be
2018-06-24 16:55:26 -05:00
easily enabled out of the box. The built-in CA generates and stores the
root certificate and private key on Consul servers. It can also be
configured with a custom certificate and private key if needed.
2023-05-05 13:41:40 -04:00
If service mesh is enabled and no CA provider is specified, the built-in
2018-06-24 16:55:26 -05:00
CA is the default provider used. The provider can be
2023-01-25 10:52:43 -06:00
[updated and rotated](/consul/docs/connect/ca#root-certificate-rotation)
2018-06-24 16:55:26 -05:00
at any point to migrate to a new provider.
-> This page documents the specifics of the built-in CA provider.
2023-01-25 10:52:43 -06:00
Please read the [certificate management overview](/consul/docs/connect/ca)
2018-06-24 16:55:26 -05:00
page first to understand how Consul manages certificates with configurable
CA providers.
## Configuration
2023-05-05 13:41:40 -04:00
The built-in CA provider has no required configuration. Enabling service mesh
2021-08-19 11:18:55 -07:00
alone will configure the built-in CA provider, and will automatically generate
2018-06-24 16:55:26 -05:00
a root certificate and private key:
2021-08-19 11:18:55 -07:00
<CodeBlockConfig filename="/etc/consul.d/config.hcl">
2018-06-24 16:55:26 -05:00
```hcl
2021-08-19 11:18:55 -07:00
# ...
2018-06-24 16:55:26 -05:00
connect {
enabled = true
}
```
2021-08-19 11:18:55 -07:00
</CodeBlockConfig>
The configuration options are listed below.
-> **Note**: The first key is the value used in API calls, and the second key
2022-01-12 15:05:01 -08:00
(after the `/`) is used if you are adding the configuration to the agent's
configuration file.
2018-06-24 16:55:26 -05:00
2020-04-06 16:27:35 -04:00
- `PrivateKey` / `private_key` (`string: ""`) - A PEM-encoded private key
for signing operations. This must match the private key used for the root
certificate if it is manually specified. If this is blank, a private key
is automatically generated.
2018-06-24 16:55:26 -05:00
2020-04-06 16:27:35 -04:00
- `RootCert` / `root_cert` (`string: ""`) - A PEM-encoded root certificate
to use. If this is blank, a root certificate is automatically generated
using the private key specified. If this is specified, the certificate
must be a valid
[SPIFFE SVID signing certificate](https://github.com/spiffe/spiffe/blob/master/standards/X509-SVID.md)
and the URI in the SAN must match the cluster identifier created at
bootstrap with the ".consul" TLD. The cluster identifier can be found
2023-01-25 10:52:43 -06:00
using the [CA List Roots endpoint](/consul/api-docs/connect/ca#list-ca-root-certificates).
2018-06-24 16:55:26 -05:00
2021-08-19 11:18:55 -07:00
@include 'http_api_connect_ca_common_options.mdx'
2018-07-16 02:46:23 -07:00
2018-06-24 16:55:26 -05:00
## Specifying a Custom Private Key and Root Certificate
By default, a root certificate and private key will be automatically
generated during the cluster's bootstrap. It is possible to configure
the Consul CA provider to use a specific private key and root certificate.
This is particularly useful if you have an external PKI system that doesn't
currently integrate with Consul directly.
2023-01-25 10:52:43 -06:00
To view the current CA configuration, use the [Get CA Configuration endpoint](/consul/api-docs/connect/ca#get-ca-configuration):
2018-06-24 16:55:26 -05:00
2020-05-19 14:32:38 -04:00
```shell-session
2018-06-24 16:55:26 -05:00
$ curl localhost:8500/v1/connect/ca/configuration
{
"Provider": "consul",
"Config": {
2018-07-16 02:46:23 -07:00
"LeafCertTTL": "72h",
2020-01-17 23:27:13 +01:00
"IntermediateCertTTL": "8760h"
2018-06-24 16:55:26 -05:00
},
"CreateIndex": 5,
"ModifyIndex": 5
}
```
2023-05-05 13:41:40 -04:00
This is the default service mesh CA configuration if nothing is explicitly set when
service mesh is enabled - the PrivateKey and RootCert fields have not been set, so those have
2018-06-24 16:55:26 -05:00
been generated (as seen above in the roots list).
There are two ways to have the Consul CA use a custom private key and root certificate:
2023-01-25 10:52:43 -06:00
either through the `ca_config` section of the [Agent configuration](/consul/docs/agent/config/config-files#connect_ca_config) (which can only be used during the cluster's
initial bootstrap) or through the [Update CA Configuration endpoint](/consul/api-docs/connect/ca#update-ca-configuration).
2018-06-24 16:55:26 -05:00
2021-08-19 11:18:55 -07:00
Currently Consul requires that root certificates are valid [SPIFFE SVID Signing certificates](https://github.com/spiffe/spiffe/blob/master/standards/X509-SVID.md) and that the URI encoded
2018-06-24 16:55:26 -05:00
in the SAN is the cluster identifier created at bootstrap with the ".consul" TLD. In this
example, we will set the URI SAN to `spiffe://36cb52cd-4058-f811-0432-6798a240c5d3.consul`.
In order to use the Update CA Configuration HTTP endpoint, the private key and certificate
must be passed via JSON:
2020-05-19 14:32:38 -04:00
```shell-session
2023-07-31 14:01:39 -07:00
$ jq --null-input --rawfile key root.key --rawfile cert root.crt '
2018-06-24 16:55:26 -05:00
{
"Provider": "consul",
"Config": {
2018-07-16 02:46:23 -07:00
"LeafCertTTL": "72h",
2023-07-31 14:01:39 -07:00
"PrivateKey": $key | sub("\\n$"; ""),
"RootCert": $cert | sub("\\n$"; ""),
2020-01-17 23:27:13 +01:00
"IntermediateCertTTL": "8760h"
2018-06-24 16:55:26 -05:00
}
}' > ca_config.json
```
The resulting `ca_config.json` file can then be used to update the active root certificate:
2020-05-19 14:32:38 -04:00
```shell-session
2018-06-24 16:55:26 -05:00
$ cat ca_config.json
{
"Provider": "consul",
"Config": {
2018-07-16 02:46:23 -07:00
"LeafCertTTL": "72h",
2018-06-24 16:55:26 -05:00
"PrivateKey": "-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQEArqiy1c3pbT3cSkjdEM1APALUareU...",
"RootCert": "-----BEGIN CERTIFICATE-----\nMIIDijCCAnKgAwIBAgIJAOFZ66em1qC7MA0GCSqGSIb3...",
2020-01-17 23:27:13 +01:00
"IntermediateCertTTL": "8760h"
2018-06-24 16:55:26 -05:00
}
}
$ curl --request PUT --data @ca_config.json localhost:8500/v1/connect/ca/configuration
...
[INFO] connect: CA rotated to new root under provider "consul"
```
The cluster is now using the new private key and root certificate. Updating the CA config
this way also triggered a certificate rotation.