Encrypt API gateway traffic on virtual machines

This topic describes how to make TLS certificates available to API gateways so that requests between the user and the gateway endpoint are encrypted.

Requirements

Consul v1.15 or later is required to use the Consul API gateway on VMs
- Consul v1.19 or later is required to use the file system certificate configuration entry
You must have a certificate and key from your CA
A Consul cluster with service mesh enabled. Refer to connect
Network connectivity between the machine deploying the API gateway and a Consul cluster agent or server

ACL requirements

If ACLs are enabled, you must present a token with the following permissions to configure Consul and deploy API gateways:

Refer Mesh Rules for additional information about configuring policies that enable you to interact with Consul API gateway configurations.

Define TLS certificates

Create a file system certificate or inline certificate and specify the following fields:
- Kind: Specifies the type of configuration entry. This must be set to file-system-certificate or inline-certificate.
- Name: Specify the name in the API gateway listener configuration to bind the certificate to that listener.
- Certificate: Specifies the filepath to the certificate on the local system or the inline public certificate as plain text.
- PrivateKey: Specifies the filepath to private key on the local system or the inline private key to as plain text.
Configure any additional fields necessary for your use case, such as the namespace or admin partition. Refer to the file system certificate configuration reference or inline certificate configuration reference for more information.
Save the configuration.

Examples

The following example defines a certificate named my-certificate. API gateway configurations that specify inline-certificate in the Certificate.Kind field and my-certificate in the Certificate.Name field are able to use the certificate.

Kind = "inline-certificate"
Name = "my-certificate"

Certificate = <<EOF
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
EOF

PrivateKey = <<EOF
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
EOF

The following example defines a certificate named my-certificate. API gateway configurations that specify file-system-certificate in the Certificate.Kind field and my-certificate in the Certificate.Name field are able to use the certificate.

Kind                     = "file-system-certificate"
Name                     = "my-certificate"
Certificate              = "/opt/consul/tls/api-gateway.crt"
PrivateKey               = "/opt/consul/tls/api-gateway.key"

Deploy the configuration to Consul

Run the consul config write command to enable listeners to use the certificate. The following example writes a configuration called my-certificate.hcl:

$ consul config write my-certificate.hcl