Service Mesh Certificate Authority Overview
Service mesh certificate management is done centrally through the Consul servers using the configured service mesh CA (Certificate Authority) provider. A CA provider manages root and intermediate certificates and performs certificate signing operations. The Consul leader orchestrates CA provider operations as necessary, such as when a service needs a new certificate or during CA rotation events.
The CA provider abstraction enables Consul to support multiple systems for storing and signing certificates. Consul ships with a built-in CA which generates and stores the root certificate and private key on the Consul servers. Consul also has support for using Vault as a CA. With Vault, the root certificate and private key material remain with the Vault cluster.
CA and Certificate relationship
This diagram shows the relationship between the CA certificates in a Consul primary datacenter and a secondary Consul datacenter.
Leaf certificates are created for two purposes:
- the Leaf Cert Service is used by envoy proxies in the mesh to perform mTLS with other services.
- the Leaf Cert Client Agent is created by auto-encrypt and auto-config. It is used by client agents for HTTP API TLS, and for mTLS for RPC requests to servers.
Any secondary datacenters use their CA provider to generate an intermediate certificate signing request (CSR) to be signed by the primary root CA. They receive an intermediate CA certificate, which is used to sign leaf certificates in the secondary datacenter.
You can use different providers across primary and secondary datacenters. For example, an operator may use a Vault CA provider for extra security in the primary datacenter but choose to use the built-in CA provider in the secondary datacenter, which may not have a reachable Vault cluster. The following table compares the built-in and Vault providers.
CA Provider Comparison
Consul built-in | Vault | |
---|---|---|
Security | CA private keys are stored on disk | CA private keys are stored in Vault and are never exposed to Consul server agents |
Resiliency | No dependency on external systems. If Consul is available, it can sign certificates | Dependent on Vault availability |
Latency | Consul signs certificates locally | A network call to Vault is required to sign certificates |
CA Bootstrapping
CA initialization happens automatically when a new Consul leader is elected as long as service mesh is enabled, and the CA system has not already been initialized. This initialization process will generate the initial root certificates and setup the internal Consul server state.
For the initial bootstrap, the CA provider can be configured through the Agent configuration. After initialization, the CA can only be updated through the Update CA Configuration API endpoint. If a CA is already initialized, any changes to the CA configuration in the agent configuration file (including removing the configuration completely) will have no effect.
If no specific provider is configured when service mesh is enabled, the built-in Consul CA provider will be used and a private key and root certificate will be generated automatically.
Viewing Root Certificates
Root certificates can be queried with the list CA Roots endpoint. With this endpoint, you can see the list of currently trusted root certificates. When a cluster first initializes, this will only list one trusted root. Multiple roots may appear as part of rotation.
CA Configuration
After initialization, the CA provider configuration can be viewed with the Get CA Configuration API endpoint. Consul will filter sensitive values from this endpoint depending on the provider in use, so the configuration may not be complete.
The CA provider can be reconfigured using the Update CA Configuration API endpoint. Specific options for reconfiguration can be found in the specific CA provider documentation in the sidebar to the left.
Root Certificate Rotation
Whenever the CA's configuration is updated in a way that causes the root key to change, a special rotation process will be triggered in order to smoothly transition to the new certificate. This rotation is automatically orchestrated by Consul.
If the current CA Provider doesn't support cross-signing, this process can't be followed. See Forced Rotation Without Cross-Signing.
This also automatically occurs when a completely different CA provider is configured (since this changes the root key). Therefore, this automatic rotation process can also be used to cleanly transition between CA providers. For example, updating the service mesh to use Vault instead of the built-in CA.
During rotation, an intermediate CA certificate is requested from the new root, which is then cross-signed by the old root. This cross-signed certificate is then distributed alongside any newly-generated leaf certificates used by the proxies once the new root becomes active, and provides a chain of trust back to the old root certificate in the event that a certificate signed by the new root is presented to a proxy that has not yet updated its bundle of trusted root CA certificates to include the new root.
After the cross-signed certificate has been successfully generated and the new root certificate or CA provider has been set up, the new root becomes the active one and is immediately used for signing any new incoming certificate requests.
If we check the list CA roots endpoint after updating the configuration with a new root certificate, we can see both the old and new root certificates are present, and the currently active root has an intermediate certificate which has been generated and cross-signed automatically by the old root during the rotation process:
The old root certificate will be automatically removed once enough time has elapsed for any leaf certificates signed by it to expire.
Forced Rotation Without Cross-Signing
If the CA provider that is currently in use does not support cross-signing, then attempts to change the root key or CA provider will fail. This is to ensure operators don't make the change without understanding that there is additional risk involved.
It is possible to force the change to happen anyway by setting the
ForceWithoutCrossSigning
field in the CA configuration to true
.
The downside is that all new certificates will immediately start being signed with the new root key, but it will take some time for agents throughout the cluster to observe the root CA change and reconfigure applications and proxies to accept certificates signed by this new root. This will mean connections made with a new certificate may fail for a short period after the CA change.
Typically all connected agents will have observed the new roots within seconds even in a large deployment so the impact should be contained. But it is possible for a disconnected, overloaded or misconfigured agent to not see the new root for an unbounded amount of time during which new connections to services on that host will fail. The issue will resolve as soon as the agent can reconnect to servers.
Currently both Consul and Vault CA providers do support cross signing. As more providers are added this documentation will list any that this section applies to.
Recovering From Expired Certificates
If the built-in CA provider is misconfigured or unavailable, Consul service mesh requests eventually stop functioning due to expiration of intermediate and root certificates. To recover manually, use the CLI helper to generate CA certificates.
Example - Regenerating the built in CA
The example above generates a new CA with a validity of 365 days. The cluster-id argument is specific
to each cluster and can be looked up by examining the TrustDomain
field in
the List CA Roots endpoint.
The contents of the generated cert and private key files from the above step should then be used with the Update CA Configuration endpoint. Once the CA configuration is updated on the primary datacenter, all secondary datacenters will pick up the changes and regenerate their intermediate and leaf certificates, after which any new requests that require certificate verification will succeed.