mirror of https://github.com/status-im/consul.git
CA certificates relationship HL diagram (#12022)
* add diagram and text to explain certificates in consul * use bullet points instead of enumeration * Apply suggestions from code review Co-authored-by: mrspanishviking <kcardenas@hashicorp.com> * remove non needed text and improve image * fix cert naming * move section to the right place * rename DC Co-authored-by: mrspanishviking <kcardenas@hashicorp.com>
This commit is contained in:
parent
a17c78ab21
commit
73dd4e66d6
|
@ -20,6 +20,23 @@ support for using
|
|||
[Vault as a CA](/docs/connect/ca/vault). With Vault, the root certificate
|
||||
and private key material remain with the Vault cluster.
|
||||
|
||||
### CA and Certificate relationship
|
||||
|
||||
This diagram shows the relationship between the CA certificates in a Consul primary datacenter and a
|
||||
secondary Consul datacenter.
|
||||
|
||||
![CA relationship](/img/cert-relationship.svg)
|
||||
|
||||
Leaf certificates are created for two purposes:
|
||||
- the Leaf Cert Service is used by envoy proxies in the mesh to perform mTLS with other
|
||||
services.
|
||||
- the Leaf Cert Client Agent is created by auto-encrypt and auto-config. It is used by
|
||||
client agents for HTTP API TLS, and for mTLS for RPC requests to servers.
|
||||
|
||||
Any secondary datacenters receive an intermediate certificate, signed by the Primary Root
|
||||
CA, which is used as the CA certificate to sign leaf certificates in the secondary
|
||||
datacenter.
|
||||
|
||||
## CA Bootstrapping
|
||||
|
||||
CA initialization happens automatically when a new Consul leader is elected
|
||||
|
|
File diff suppressed because one or more lines are too long
After Width: | Height: | Size: 102 KiB |
Loading…
Reference in New Issue