Generating TLS certificates with multiple Datacenter Clusters

Hi, I am trying to enable Consul (1.8) control plane TLS (server – server and server – agent). I have two datacenter clusters, with Service Mesh enabled on both through gateway proxies. One datacenter marked as primary.

I have a couple of options on where to generate certificates:

  1. Should TLS certificates for all datacenters be generated from a single Consul host in primary datacenter ?

  2. Should TLS certificates for each datacenter be generated on a chosen host inside that datacenter ?

  3. Does Consul use the same CA process to manage Service Mesh certificates (service – service TLS) and Control Plane certificates (server – server and server – agent) ?

Thank you.