connect/ca: Clarify behavior around IntermediateCertTTL in CA config

agent/structs/connect_ca.go

@@ -382,9 +382,12 @@ func (c *CAConfiguration) GetCommonConfig() (*CommonCAProviderConfig, error) {
 }
 
 type CommonCAProviderConfig struct {
-	LeafCertTTL         time.Duration
+	LeafCertTTL time.Duration
+	RootCertTTL time.Duration
+
+	// IntermediateCertTTL is only valid in the primary datacenter, and determines
+	// the duration that any signed intermediates are valid for.
 	IntermediateCertTTL time.Duration
-	RootCertTTL         time.Duration
 
 	SkipValidate bool
 
@@ -439,6 +442,10 @@ func (c CommonCAProviderConfig) Validate() error {
 		return nil
 	}
 
+	// todo(kyhavlov): should we output some kind of warning here (or in a Warnings() func)
+	// if the intermediate TTL is set in a secondary DC? allowing it to be set and do nothing
+	// seems bad.
+
 	// it's sufficient to check that the root cert ttl >= intermediate cert ttl
 	// since intermediate cert ttl >= 3* leaf cert ttl; so root cert ttl >= 3 * leaf cert ttl > leaf cert ttl
 	if c.RootCertTTL < c.IntermediateCertTTL {

website/content/partials/http_api_connect_ca_common_options.mdx

@@ -43,6 +43,15 @@ The following configuration options are supported by all CA providers:
 
   For the Vault provider, this value is only used if the backend is not initialized at first.
 
+- `IntermediateCertTTL` / `intermediate_cert_ttl` (`duration: "8760h"`) The time to live (TTL) for
+  any intermediate certificates signed by root certificate of the primary datacenter. *This field is only
+  valid in the primary datacenter*.
+  Defaults to 1 year as `8760h`.
+
+  This setting applies to all Consul CA providers.
+
+  For the Vault provider, this value is only used if the backend is not initialized at first.
+
 - `PrivateKeyType` / `private_key_type` (`string: "ec"`) - The type of key to generate
   for this CA. This is only used when the provider is generating a new key. If
   `private_key` is set for the Consul provider, or existing root or intermediate