docs: Notes about WAN Federation when using Vault as Connect CA (#11143)

* docs: Notes about WAN Federation when using Vault as Connect CA

* Apply suggestions from code review

Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>

* Update website/content/docs/connect/ca/vault.mdx

Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>

* Update website/content/docs/connect/ca/vault.mdx

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>

* Update website/content/docs/connect/ca/vault.mdx

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>

* Update vault.mdx

* Update vault.mdx

Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>
Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
This commit is contained in:
David Yu 2021-11-29 12:37:14 -08:00 committed by GitHub
parent 33e8c10583
commit 29c791c90e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 10 additions and 5 deletions

View File

@ -120,16 +120,21 @@ The configuration options are listed below.
exist, Consul will mount a new PKI secrets engine at the specified path with the
`RootCertTTL` value as the root certificate's TTL. If the `RootCertTTL` is not set,
a [`max_lease_ttl`](https://www.vaultproject.io/api/system/mounts#max_lease_ttl)
of 87600 hours, or 10 years is applied by default as of Consul 1.11 and later.
Prior to Consul 1.11, the root certificate TTL was set to 8760 hour, or 1 year, and
was not configurable.
of 87600 hours, or 10 years is applied by default as of Consul 1.11 and later. Prior to Consul 1.11,
the root certificate TTL was set to 8760 hour, or 1 year, and was not configurable.
The root certificate will expire at the end of the specified period.
When WAN Federation is enabled, each secondary datacenter must use the same Vault cluster and share the same `root_pki_path`
with the primary datacenter.
- `IntermediatePKIPath` / `intermediate_pki_path` (`string: <required>`) -
The path to a PKI secrets engine for the generated intermediate certificate.
This certificate will be signed by the configured root PKI path. If this
path does not exist, Consul will attempt to mount and configure this
automatically.
automatically.
When WAN Federation is enabled, every secondary
datacenter must specify a unique `intermediate_pki_path`.
- `CAFile` / `ca_file` (`string: ""`) - Specifies an optional path to the CA
certificate used for Vault communication. If unspecified, this will fallback