consul/website/content/commands/connect/ca.mdx

129 lines
4.2 KiB
Plaintext
Raw Normal View History

---
layout: commands
2020-04-07 18:55:19 +00:00
page_title: 'Commands: Connect CA'
description: >
The connect CA subcommand is used to view and modify the Connect Certificate
Authority (CA) configuration.
---
# Consul Connect Certificate Authority (CA)
Command: `consul connect ca`
This command is used to interact with Consul service mesh's Certificate Authority
managed by the connect subsystem.
It can be used to view or modify the current CA configuration. Refer to the
[service mesh CA documentation](/consul/docs/connect/ca) for more information.
```text
Usage: consul connect ca <subcommand> [options] [args]
This command has subcommands for interacting with Consul service mesh's
Certificate Authority (CA).
Here are some simple examples, and more detailed examples are available
in the subcommands or the documentation.
Get the configuration:
$ consul connect ca get-config
Update the configuration:
$ consul connect ca set-config -config-file ca.json
For more examples, ask for subcommand help or view the documentation.
Subcommands:
get-config Display the current service mesh Certificate Authority (CA) configuration
set-config Modify the current service mesh CA configuration
```
## get-config
This command displays the current CA configuration.
The table below shows this command's [required ACLs](/consul/api-docs/api-structure#authentication). Configuration of
[blocking queries](/consul/api-docs/features/blocking) and [agent caching](/consul/api-docs/features/caching)
are not supported from commands, but may be from the corresponding HTTP endpoint.
| ACL Required |
| ---------------- |
| `operator:write` |
Usage: `consul connect ca get-config [options]`
Corresponding HTTP API Endpoint: [\[GET\] /v1/connect/ca/configuration](/consul/api-docs/connect/ca#get-ca-configuration)
#### API Options
2020-04-07 18:55:19 +00:00
@include 'http_api_options_client.mdx'
2020-04-07 23:56:08 +00:00
2020-04-07 18:55:19 +00:00
@include 'http_api_options_server.mdx'
The output looks like this:
```
{
"Provider": "consul",
"Config": {},
"CreateIndex": 5,
"ModifyIndex": 197
}
```
## set-config
Modifies the current CA configuration. If this results in a new root certificate
being used, the [Root Rotation](/consul/docs/connect/ca#root-certificate-rotation) process
will be triggered.
The table below shows this command's [required ACLs](/consul/api-docs/api-structure#authentication). Configuration of
[blocking queries](/consul/api-docs/features/blocking) and [agent caching](/consul/api-docs/features/caching)
are not supported from commands, but may be from the corresponding HTTP endpoint.
| ACL Required |
| ---------------- |
| `operator:write` |
Usage: `consul connect ca set-config [options]`
Corresponding HTTP API Endpoint: [\[PUT\] /v1/connect/ca/configuration](/consul/api-docs/connect/ca#update-ca-configuration)
The output looks like this:
```
Configuration updated!
```
2020-04-07 23:56:08 +00:00
The return code will indicate success or failure.
~> **If currently using Vault CA provider:**
If you intend to change the CA provider from Vault to another,
or to change the Vault provider's [`RootPKIPath`](/consul/docs/connect/ca/vault#rootpkipath),
you must temporarily elevate the privileges of the Vault token
or auth method in use as described in the
[Vault CA provider documentation](/consul/docs/connect/ca/vault#additional-vault-acl-policies-for-sensitive-operations).
#### Command Options
2020-04-07 18:55:19 +00:00
- `-config-file` - (required) Specifies a JSON-formatted file to use for the new configuration.
The format of this config file matches the request payload documented in the
[Update CA Configuration API](/consul/api-docs/connect/ca#update-ca-configuration).
- `-force-without-cross-signing` `(bool: <optional>)` - Indicates that the CA change
should be forced to complete even if the current CA doesn't support root cross-signing.
~> **Caution:** Use of this flag will cause temporary connection failures
until service mesh proxies and/or Consul client agents receive a new certificate
that establishes trust with the new root.
Do not use this flag unless you are sure you need it.
Refer to [Forced Rotation Without Cross-Signing](/consul/docs/connect/ca#forced-rotation-without-cross-signing)
for more detail.
#### API Options
@include 'http_api_options_client.mdx'
@include 'http_api_options_server.mdx'