docs: give better guidance about how to configure the agent TLS CA

2021-07-28 18:22:35 -04:00 · 2021-07-28 18:22:35 -04:00 · 7cf86dc2ab
parent cac45c9379
commit 7cf86dc2ab
1 changed files with 6 additions and 0 deletions
--- a/website/content/docs/agent/options.mdx
+++ b/website/content/docs/agent/options.mdx
@ -2211,6 +2211,12 @@ This section documents all of the configuration settings that apply to Agent TLS
 TLS is used by the HTTP API, server RPC, and xDS interfaces. Some of these settings may also be
 applied automatically by [auto_config](#auto_config) or [auto_encrypt](#auto_encrypt).

+~> **Security Note:** The Certificate Authority (CA) specified by `ca_file` and `ca_path`
+should use a private CA, not a public one.  We also recommend using a separate CA for
+Consul and not sharing the CA with any other systems. Any certificate signed by the
+CA will be allowed to communicate with the cluster and a specially crafted certificate
+signed by the CA can gain full read and write access to Consul.
+
 - `ca_file` This provides a file path to a PEM-encoded certificate
  authority. The certificate authority is used to check the authenticity of client
  and server connections with the appropriate [`verify_incoming`](#verify_incoming)