From 9f02119314305e6015bc8d8b3d07fa4eb0515b03 Mon Sep 17 00:00:00 2001 From: Daniel Nephin Date: Wed, 28 Jul 2021 18:22:35 -0400 Subject: [PATCH 1/2] docs: give better guidance about how to configure the agent TLS CA --- website/content/docs/agent/options.mdx | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/website/content/docs/agent/options.mdx b/website/content/docs/agent/options.mdx index 2ecbe11d26..bbaaaf34d8 100644 --- a/website/content/docs/agent/options.mdx +++ b/website/content/docs/agent/options.mdx @@ -2211,6 +2211,12 @@ This section documents all of the configuration settings that apply to Agent TLS TLS is used by the HTTP API, server RPC, and xDS interfaces. Some of these settings may also be applied automatically by [auto_config](#auto_config) or [auto_encrypt](#auto_encrypt). +~> **Security Note:** The Certificate Authority (CA) specified by `ca_file` and `ca_path` +should use a private CA, not a public one. We also recommend using a separate CA for +Consul and not sharing the CA with any other systems. Any certificate signed by the +CA will be allowed to communicate with the cluster and a specially crafted certificate +signed by the CA can gain full read and write access to Consul. + - `ca_file` This provides a file path to a PEM-encoded certificate authority. The certificate authority is used to check the authenticity of client and server connections with the appropriate [`verify_incoming`](#verify_incoming) From 20537d895270a128d8df30d34615ecdcc4132b1f Mon Sep 17 00:00:00 2001 From: Daniel Nephin Date: Thu, 29 Jul 2021 12:38:30 -0400 Subject: [PATCH 2/2] Update website/content/docs/agent/options.mdx Co-authored-by: Kent 'picat' Gruber --- website/content/docs/agent/options.mdx | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/website/content/docs/agent/options.mdx b/website/content/docs/agent/options.mdx index bbaaaf34d8..6d6a11aea7 100644 --- a/website/content/docs/agent/options.mdx +++ b/website/content/docs/agent/options.mdx @@ -2211,11 +2211,11 @@ This section documents all of the configuration settings that apply to Agent TLS TLS is used by the HTTP API, server RPC, and xDS interfaces. Some of these settings may also be applied automatically by [auto_config](#auto_config) or [auto_encrypt](#auto_encrypt). -~> **Security Note:** The Certificate Authority (CA) specified by `ca_file` and `ca_path` -should use a private CA, not a public one. We also recommend using a separate CA for -Consul and not sharing the CA with any other systems. Any certificate signed by the +~> **Security Note:** The Certificate Authority (CA) specified by `ca_file` or `ca_path` +should be a private CA, not a public one. We recommend using a dedicated CA +which should not be used with any other systems. Any certificate signed by the CA will be allowed to communicate with the cluster and a specially crafted certificate -signed by the CA can gain full read and write access to Consul. +signed by the CA can be used to gain full access to Consul. - `ca_file` This provides a file path to a PEM-encoded certificate authority. The certificate authority is used to check the authenticity of client