docs: add docs for using an external CA

This commit is contained in:
Daniel Nephin 2022-02-11 16:34:34 -05:00
parent 1853a32df6
commit 12f12d577a
1 changed files with 12 additions and 3 deletions

View File

@ -116,7 +116,9 @@ The configuration options are listed below.
- `RootPKIPath` / `root_pki_path` (`string: <required>`) - The path to
a PKI secrets engine for the root certificate. If the path does not
a PKI secrets engine for the root certificate.
If the path does not
exist, Consul will mount a new PKI secrets engine at the specified path with the
`RootCertTTL` value as the root certificate's TTL. If the `RootCertTTL` is not set,
a [`max_lease_ttl`](https://www.vaultproject.io/api/system/mounts#max_lease_ttl)
@ -127,6 +129,13 @@ The configuration options are listed below.
When WAN Federation is enabled, each secondary datacenter must use the same Vault cluster and share the same `root_pki_path`
with the primary datacenter.
To use an intermediate certificate as the primary CA in Consul initialize the
`RootPKIPath` in Vault with a PEM bundle. The first certificate in the bundle
must be the intermediate certificate that Consul will use as the primary CA.
The last certificate in the bundle must be a root certificate. The bundle
must contain a valid chain, where each certificate is followed by the certificate
that authorized it.
- `IntermediatePKIPath` / `intermediate_pki_path` (`string: <required>`) -
The path to a PKI secrets engine for the generated intermediate certificate.
This certificate will be signed by the configured root PKI path. If this