mirror of
https://github.com/status-im/consul.git
synced 2025-01-10 13:55:55 +00:00
166d7a39e8
Remove outdated usage of "Consul Connect" instead of Consul service mesh. The connect subsystem in Consul provides Consul's service mesh capabilities. However, the term "Consul Connect" should not be used as an alternative to the name "Consul service mesh".
129 lines
4.2 KiB
Plaintext
129 lines
4.2 KiB
Plaintext
---
|
|
layout: commands
|
|
page_title: 'Commands: Connect CA'
|
|
description: >
|
|
The connect CA subcommand is used to view and modify the Connect Certificate
|
|
Authority (CA) configuration.
|
|
---
|
|
|
|
# Consul Connect Certificate Authority (CA)
|
|
|
|
Command: `consul connect ca`
|
|
|
|
This command is used to interact with Consul service mesh's Certificate Authority
|
|
managed by the connect subsystem.
|
|
It can be used to view or modify the current CA configuration. Refer to the
|
|
[service mesh CA documentation](/consul/docs/connect/ca) for more information.
|
|
|
|
```text
|
|
Usage: consul connect ca <subcommand> [options] [args]
|
|
|
|
This command has subcommands for interacting with Consul service mesh's
|
|
Certificate Authority (CA).
|
|
|
|
Here are some simple examples, and more detailed examples are available
|
|
in the subcommands or the documentation.
|
|
|
|
Get the configuration:
|
|
|
|
$ consul connect ca get-config
|
|
|
|
Update the configuration:
|
|
|
|
$ consul connect ca set-config -config-file ca.json
|
|
|
|
For more examples, ask for subcommand help or view the documentation.
|
|
|
|
Subcommands:
|
|
get-config Display the current service mesh Certificate Authority (CA) configuration
|
|
set-config Modify the current service mesh CA configuration
|
|
```
|
|
|
|
## get-config
|
|
|
|
This command displays the current CA configuration.
|
|
|
|
The table below shows this command's [required ACLs](/consul/api-docs/api-structure#authentication). Configuration of
|
|
[blocking queries](/consul/api-docs/features/blocking) and [agent caching](/consul/api-docs/features/caching)
|
|
are not supported from commands, but may be from the corresponding HTTP endpoint.
|
|
|
|
| ACL Required |
|
|
| ---------------- |
|
|
| `operator:write` |
|
|
|
|
Usage: `consul connect ca get-config [options]`
|
|
|
|
Corresponding HTTP API Endpoint: [\[GET\] /v1/connect/ca/configuration](/consul/api-docs/connect/ca#get-ca-configuration)
|
|
|
|
#### API Options
|
|
|
|
@include 'http_api_options_client.mdx'
|
|
|
|
@include 'http_api_options_server.mdx'
|
|
|
|
The output looks like this:
|
|
|
|
```
|
|
{
|
|
"Provider": "consul",
|
|
"Config": {},
|
|
"CreateIndex": 5,
|
|
"ModifyIndex": 197
|
|
}
|
|
```
|
|
|
|
## set-config
|
|
|
|
Modifies the current CA configuration. If this results in a new root certificate
|
|
being used, the [Root Rotation](/consul/docs/connect/ca#root-certificate-rotation) process
|
|
will be triggered.
|
|
|
|
The table below shows this command's [required ACLs](/consul/api-docs/api-structure#authentication). Configuration of
|
|
[blocking queries](/consul/api-docs/features/blocking) and [agent caching](/consul/api-docs/features/caching)
|
|
are not supported from commands, but may be from the corresponding HTTP endpoint.
|
|
|
|
| ACL Required |
|
|
| ---------------- |
|
|
| `operator:write` |
|
|
|
|
Usage: `consul connect ca set-config [options]`
|
|
|
|
Corresponding HTTP API Endpoint: [\[PUT\] /v1/connect/ca/configuration](/consul/api-docs/connect/ca#update-ca-configuration)
|
|
|
|
The output looks like this:
|
|
|
|
```
|
|
Configuration updated!
|
|
```
|
|
|
|
The return code will indicate success or failure.
|
|
|
|
~> **If currently using Vault CA provider:**
|
|
If you intend to change the CA provider from Vault to another,
|
|
or to change the Vault provider's [`RootPKIPath`](/consul/docs/connect/ca/vault#rootpkipath),
|
|
you must temporarily elevate the privileges of the Vault token
|
|
or auth method in use as described in the
|
|
[Vault CA provider documentation](/consul/docs/connect/ca/vault#additional-vault-acl-policies-for-sensitive-operations).
|
|
|
|
#### Command Options
|
|
|
|
- `-config-file` - (required) Specifies a JSON-formatted file to use for the new configuration.
|
|
The format of this config file matches the request payload documented in the
|
|
[Update CA Configuration API](/consul/api-docs/connect/ca#update-ca-configuration).
|
|
|
|
- `-force-without-cross-signing` `(bool: <optional>)` - Indicates that the CA change
|
|
should be forced to complete even if the current CA doesn't support root cross-signing.
|
|
|
|
~> **Caution:** Use of this flag will cause temporary connection failures
|
|
until service mesh proxies and/or Consul client agents receive a new certificate
|
|
that establishes trust with the new root.
|
|
Do not use this flag unless you are sure you need it.
|
|
Refer to [Forced Rotation Without Cross-Signing](/consul/docs/connect/ca#forced-rotation-without-cross-signing)
|
|
for more detail.
|
|
|
|
#### API Options
|
|
|
|
@include 'http_api_options_client.mdx'
|
|
|
|
@include 'http_api_options_server.mdx'
|