Best practices with Vault/Consul PKI/mTLS? Is it worth it?

Hi all,

I’ve got a lab setup with Vault & Cron running nicely with TLS covering all end-points and am deciding on adding in consul-template to rotate these certs.

This Vault cluster has PKI enabled and has bootstrapped its own certs; I think it makes sense rotating the certs with a longer TTL, say 1-week.

It might even make sense rotating the Vault/Consul certs in an async-manner:

  • Vault: every 24 hours
  • Consul (Server cert): 18 hours
  • Consul (Client cert): 12 hours

If the client cert rotation poses any delay, it will break RPC communication and the entire Vault backend dies. Thoughts?

Is it fine if the consul-template task just calls systemctl restart consul.service (and the same for Vault as well?) once it has templated the new certs?