I’m struggling to figure out how to configure a Consul Connect service mesh and its certs.
The model is that I have:
-
a root cert that is the trust anchor (with a key that is securely stored)
-
an intermediate cert (signed by the root key) and intermediate key that Consul Connect can be issued to sign leaf certs
I would like to configure Consul with both the root cert and intermediate cert, so that it will:
-
offer a cert chain on mTLS interactions that includes both the leaf and intermediate certs
-
perform validation based on the shared root of trust, even if (in principle) the intermediate certs of the two ends of the mTLS exchange differ
Is there any reason why I cannot configure this, or if I can any pointers on how? It does seem that Consul Connect supports intermediate certs, but only in Vault mode or when configuring certificate replacement - and I am confused as to whether this is really correct.