diff --git a/agent/connect_ca_endpoint.go b/agent/connect_ca_endpoint.go index e3efde1a55..82d1233699 100644 --- a/agent/connect_ca_endpoint.go +++ b/agent/connect_ca_endpoint.go @@ -81,14 +81,15 @@ func (s *HTTPServer) ConnectCAConfigurationSet(resp http.ResponseWriter, req *ht func fixupConfig(conf *structs.CAConfiguration) { for k, v := range conf.Config { if raw, ok := v.([]uint8); ok { - conf.Config[k] = ca.Uint8ToString(raw) + strVal := ca.Uint8ToString(raw) + conf.Config[k] = strVal switch conf.Provider { case structs.ConsulCAProvider: - if k == "PrivateKey" && ca.Uint8ToString(raw) != "" { + if k == "PrivateKey" && strVal != "" { conf.Config["PrivateKey"] = "hidden" } case structs.VaultCAProvider: - if k == "Token" && ca.Uint8ToString(raw) != "" { + if k == "Token" && strVal != "" { conf.Config["Token"] = "hidden" } } diff --git a/agent/consul/config.go b/agent/consul/config.go index 66f7c65f01..29a5245319 100644 --- a/agent/consul/config.go +++ b/agent/consul/config.go @@ -436,8 +436,6 @@ func DefaultConfig() *Config { CAConfig: &structs.CAConfiguration{ Provider: "consul", Config: map[string]interface{}{ - "PrivateKey": "", - "RootCert": "", "RotationPeriod": "2160h", }, }, diff --git a/website/source/docs/connect/ca.html.md b/website/source/docs/connect/ca.html.md index 544263ca81..72d334f23e 100644 --- a/website/source/docs/connect/ca.html.md +++ b/website/source/docs/connect/ca.html.md @@ -67,8 +67,6 @@ $ curl localhost:8500/v1/connect/ca/configuration { "Provider": "consul", "Config": { - "PrivateKey": null, - "RootCert": null, "RotationPeriod": "2160h" }, "CreateIndex": 5, @@ -77,8 +75,8 @@ $ curl localhost:8500/v1/connect/ca/configuration ``` This is the default Connect CA configuration if nothing is explicitly set when -Connect is enabled - the PrivateKey and RootCert fields are both empty, and have been -generated (as seen above). +Connect is enabled - the PrivateKey and RootCert fields have not been set, so those have +been generated (as seen above in the roots list). There are two ways to have the Consul CA use a custom private key and root certificate: either through the `ca_config` section of the [Agent configuration]