From 7cf86dc2aba56c840c2f7fd068457892b7327df4 Mon Sep 17 00:00:00 2001 From: Daniel Nephin Date: Wed, 28 Jul 2021 18:22:35 -0400 Subject: [PATCH 1/2] docs: give better guidance about how to configure the agent TLS CA --- website/content/docs/agent/options.mdx | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/website/content/docs/agent/options.mdx b/website/content/docs/agent/options.mdx index 2ecbe11d2..bbaaaf34d 100644 --- a/website/content/docs/agent/options.mdx +++ b/website/content/docs/agent/options.mdx @@ -2211,6 +2211,12 @@ This section documents all of the configuration settings that apply to Agent TLS TLS is used by the HTTP API, server RPC, and xDS interfaces. Some of these settings may also be applied automatically by [auto_config](#auto_config) or [auto_encrypt](#auto_encrypt). +~> **Security Note:** The Certificate Authority (CA) specified by `ca_file` and `ca_path` +should use a private CA, not a public one. We also recommend using a separate CA for +Consul and not sharing the CA with any other systems. Any certificate signed by the +CA will be allowed to communicate with the cluster and a specially crafted certificate +signed by the CA can gain full read and write access to Consul. + - `ca_file` This provides a file path to a PEM-encoded certificate authority. The certificate authority is used to check the authenticity of client and server connections with the appropriate [`verify_incoming`](#verify_incoming) From efad0234f4fe9e08fe9a3ad2815ddfc768dbd7c3 Mon Sep 17 00:00:00 2001 From: Daniel Nephin Date: Thu, 29 Jul 2021 12:38:30 -0400 Subject: [PATCH 2/2] Update website/content/docs/agent/options.mdx Co-authored-by: Kent 'picat' Gruber --- website/content/docs/agent/options.mdx | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/website/content/docs/agent/options.mdx b/website/content/docs/agent/options.mdx index bbaaaf34d..6d6a11aea 100644 --- a/website/content/docs/agent/options.mdx +++ b/website/content/docs/agent/options.mdx @@ -2211,11 +2211,11 @@ This section documents all of the configuration settings that apply to Agent TLS TLS is used by the HTTP API, server RPC, and xDS interfaces. Some of these settings may also be applied automatically by [auto_config](#auto_config) or [auto_encrypt](#auto_encrypt). -~> **Security Note:** The Certificate Authority (CA) specified by `ca_file` and `ca_path` -should use a private CA, not a public one. We also recommend using a separate CA for -Consul and not sharing the CA with any other systems. Any certificate signed by the +~> **Security Note:** The Certificate Authority (CA) specified by `ca_file` or `ca_path` +should be a private CA, not a public one. We recommend using a dedicated CA +which should not be used with any other systems. Any certificate signed by the CA will be allowed to communicate with the cluster and a specially crafted certificate -signed by the CA can gain full read and write access to Consul. +signed by the CA can be used to gain full access to Consul. - `ca_file` This provides a file path to a PEM-encoded certificate authority. The certificate authority is used to check the authenticity of client