I’m struggling to figure out how to configure a Consul Connect service mesh and its certs.
The model is that I have:
a root cert that is the trust anchor (with a key that is securely stored)
an intermediate cert (signed by the root key) and intermediate key that Consul Connect can be issued to sign leaf certs
I would like to configure Consul with both the root cert and intermediate cert, so that it will:
offer a cert chain on mTLS interactions that includes both the leaf and intermediate certs
perform validation based on the shared root of trust, even if (in principle) the intermediate certs of the two ends of the mTLS exchange differ
Is there any reason why I cannot configure this, or if I can any pointers on how? It does seem that Consul Connect supports intermediate certs, but only in Vault mode or when configuring certificate replacement - and I am confused as to whether this is really correct.