CA certificates relationship HL diagram (#12022)

* add diagram and text to explain certificates in consul

* use bullet points instead of enumeration

* Apply suggestions from code review

Co-authored-by: mrspanishviking <kcardenas@hashicorp.com>

* remove non needed text and improve image

* fix cert naming

* move section to the right place

* rename DC

Co-authored-by: mrspanishviking <kcardenas@hashicorp.com>
This commit is contained in:
Dhia Ayachi 2022-01-12 16:10:00 -05:00 committed by GitHub
parent a17c78ab21
commit 73dd4e66d6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 18 additions and 0 deletions

View File

@ -20,6 +20,23 @@ support for using
[Vault as a CA](/docs/connect/ca/vault). With Vault, the root certificate
and private key material remain with the Vault cluster.
### CA and Certificate relationship
This diagram shows the relationship between the CA certificates in a Consul primary datacenter and a
secondary Consul datacenter.
![CA relationship](/img/cert-relationship.svg)
Leaf certificates are created for two purposes:
- the Leaf Cert Service is used by envoy proxies in the mesh to perform mTLS with other
services.
- the Leaf Cert Client Agent is created by auto-encrypt and auto-config. It is used by
client agents for HTTP API TLS, and for mTLS for RPC requests to servers.
Any secondary datacenters receive an intermediate certificate, signed by the Primary Root
CA, which is used as the CA certificate to sign leaf certificates in the secondary
datacenter.
## CA Bootstrapping
CA initialization happens automatically when a new Consul leader is elected

File diff suppressed because one or more lines are too long

After

Width:  |  Height:  |  Size: 102 KiB