Consul service mesh certification authority - build-in

joomn11 · August 23, 2024, 9:15am

i am using service mesh with
{
connect: enable
}

but did not configure connect.privateKey, connect.RootCert

then , consul will automatically that values
so when i call “curl http://127.0.0.1:8500/v1/connect/ca/roots”
i got some info like this

{
  "ActiveRootID": "",
  "TrustDomain": "l",
  "Roots": [
    {
      "NotBefore": "2023-06-07T22:42:49Z",
      "NotAfter": "2033-06-04T22:42:49Z",
      "RootCert": "-----BEGIN CERTIFICATE----------END CERTIFICATE-----\n"
    }
  ]
}

i am wondering,
before NotAfter period, consul connect will regenerate rootCert?

do you know the answer?

madsboddum · September 8, 2025, 11:24am

I have the exact same question. The root certificate was autogenerated by Consul, so it stands to reason that Consul might autogenerate a new one at some point.

The documentation has a section on Root Certificate Rotation and that a new root certificate is added - when switching CA Providers. What if I just continue on with the built-in CA?

Ranjandas · January 6, 2026, 11:17pm

Hi @madsboddum,

Consul will generate a new CA take care of the rotation seamlessly without affecting the applications running inside the mesh.

madsboddum · January 12, 2026, 9:40am

Ok, that’s good to know. Thanks!

Topic		Replies	Views
Consul Connect Root CA rotation process Consul	4	925	July 23, 2021
Consul Connect CA w/ Vault Consul	4	1291	January 14, 2021
Root certificate rotation ends up in "x509: certificate has expired or is not yet valid" Consul	0	3228	March 3, 2021
Problem adding custom root cert and key for Consul Connect Consul	2	485	May 25, 2022
Is there a way to use the own TLS certificate in consul service mesh instead of the certficiates issued by consul? Consul	2	170	July 2, 2024

Consul service mesh certification authority - build-in

Related topics