Hi, I am trying to enable Consul (1.8) control plane TLS (server – server and server – agent). I have two datacenter clusters, with Service Mesh enabled on both through gateway proxies. One datacenter marked as primary.
I have a couple of options on where to generate certificates:
-
Should TLS certificates for all datacenters be generated from a single Consul host in primary datacenter ?
-
Should TLS certificates for each datacenter be generated on a chosen host inside that datacenter ?
-
Does Consul use the same CA process to manage Service Mesh certificates (service – service TLS) and Control Plane certificates (server – server and server – agent) ?
Thank you.