connect/ca: Clarify behavior around IntermediateCertTTL in CA config
This commit is contained in:
parent
8e4e0c23aa
commit
1ded025400
|
@ -382,9 +382,12 @@ func (c *CAConfiguration) GetCommonConfig() (*CommonCAProviderConfig, error) {
|
|||
}
|
||||
|
||||
type CommonCAProviderConfig struct {
|
||||
LeafCertTTL time.Duration
|
||||
LeafCertTTL time.Duration
|
||||
RootCertTTL time.Duration
|
||||
|
||||
// IntermediateCertTTL is only valid in the primary datacenter, and determines
|
||||
// the duration that any signed intermediates are valid for.
|
||||
IntermediateCertTTL time.Duration
|
||||
RootCertTTL time.Duration
|
||||
|
||||
SkipValidate bool
|
||||
|
||||
|
@ -439,6 +442,10 @@ func (c CommonCAProviderConfig) Validate() error {
|
|||
return nil
|
||||
}
|
||||
|
||||
// todo(kyhavlov): should we output some kind of warning here (or in a Warnings() func)
|
||||
// if the intermediate TTL is set in a secondary DC? allowing it to be set and do nothing
|
||||
// seems bad.
|
||||
|
||||
// it's sufficient to check that the root cert ttl >= intermediate cert ttl
|
||||
// since intermediate cert ttl >= 3* leaf cert ttl; so root cert ttl >= 3 * leaf cert ttl > leaf cert ttl
|
||||
if c.RootCertTTL < c.IntermediateCertTTL {
|
||||
|
|
|
@ -43,6 +43,15 @@ The following configuration options are supported by all CA providers:
|
|||
|
||||
For the Vault provider, this value is only used if the backend is not initialized at first.
|
||||
|
||||
- `IntermediateCertTTL` / `intermediate_cert_ttl` (`duration: "8760h"`) The time to live (TTL) for
|
||||
any intermediate certificates signed by root certificate of the primary datacenter. *This field is only
|
||||
valid in the primary datacenter*.
|
||||
Defaults to 1 year as `8760h`.
|
||||
|
||||
This setting applies to all Consul CA providers.
|
||||
|
||||
For the Vault provider, this value is only used if the backend is not initialized at first.
|
||||
|
||||
- `PrivateKeyType` / `private_key_type` (`string: "ec"`) - The type of key to generate
|
||||
for this CA. This is only used when the provider is generating a new key. If
|
||||
`private_key` is set for the Consul provider, or existing root or intermediate
|
||||
|
|
Loading…
Reference in New Issue