CA certificates relationship HL diagram (#12022)

* add diagram and text to explain certificates in consul * use bullet points instead of enumeration * Apply suggestions from code review Co-authored-by: mrspanishviking <kcardenas@hashicorp.com> * remove non needed text and improve image * fix cert naming * move section to the right place * rename DC Co-authored-by: mrspanishviking <kcardenas@hashicorp.com>
2022-01-12 16:10:00 -05:00 · 2022-01-12 16:10:00 -05:00 · 2a0e15cd69
parent ca94446773
commit 2a0e15cd69
2 changed files with 18 additions and 0 deletions
--- a/website/content/docs/connect/ca/index.mdx
+++ b/website/content/docs/connect/ca/index.mdx
@ -20,6 +20,23 @@ support for using
 [Vault as a CA](/docs/connect/ca/vault). With Vault, the root certificate
 and private key material remain with the Vault cluster.

+### CA and Certificate relationship
+
+This diagram shows the relationship between the CA certificates in a Consul primary datacenter and a
+secondary Consul datacenter.
+
+![CA relationship](/img/cert-relationship.svg)
+
+Leaf certificates are created for two purposes:
+- the Leaf Cert Service is used by envoy proxies in the mesh to perform mTLS with other
+services.
+- the Leaf Cert Client Agent is created by auto-encrypt and auto-config. It is used by
+client agents for HTTP API TLS, and for mTLS for RPC requests to servers.
+
+Any secondary datacenters receive an intermediate certificate, signed by the Primary Root
+CA, which is used as the CA certificate to sign leaf certificates in the secondary
+datacenter.
+
 ## CA Bootstrapping

 CA initialization happens automatically when a new Consul leader is elected
--- a/website/public/img/cert-relationship.svg
+++ b/website/public/img/cert-relationship.svg