Final edits to encryption doc.

This commit is contained in:
Ryan Breen 2015-01-31 22:05:00 -05:00
parent 02c7ed0e94
commit 3a184a06f7
1 changed files with 6 additions and 5 deletions

View File

@ -15,10 +15,10 @@ There are two separate encryption systems, one for gossip traffic and one for RP
## Gossip Encryption
Enabling gossip encryption only requires that you set an encryption key when
starting the Consul agent. The key can be set via the `encrypt` parameter: this
starting the Consul agent. The key can be set via the `encrypt` parameter: the
value of this setting is a configuration file containing the encryption key.
The key must be 16-bytes, Base64 encoded. As a convenience, Consul contains the
The key must be 16-bytes, Base64 encoded. As a convenience, Consul provides the
`consul keygen` commmand to generate a cryptographically suitable key:
```text
@ -57,13 +57,14 @@ Consul supports using TLS to verify the authenticity of servers and clients. To
Consul requires that all clients and servers have key pairs that are generated by a single
Certificate Authority. This can be a private CA, used only internally. The
CA then signs keys for each of the agents, as in
[this tutorial on generationg both a CA and signing keys](https://langui.sh/2009/01/18/openssl-self-signed-ca/)
[this tutorial on generating both a CA and signing keys](https://langui.sh/2009/01/18/openssl-self-signed-ca/)
using OpenSSL. Note: client certificates must have
[Extended Key Usage](https://www.openssl.org/docs/apps/x509v3_config.html#extended_key_usage_) enabled
for client and server authentication.
TLS can be used to verify the authenticity of the servers or verify the authenticity of clients. These modes are
controlled by the `verify_outgoing` and `verify_incoming` [options](/docs/agent/options.html), respectively.
TLS can be used to verify the authenticity of the servers or verify the authenticity of clients.
These modes are controlled by the `verify_outgoing` and `verify_incoming` [options](/docs/agent/options.html),
respectively.
If `verify_outgoing` is set, agents verify the authenticity of Consul for outgoing
connections. Server nodes must present a certificate signed by the certificate authority