I would like to use internally generated IPA cert key pairs to secure consul.
Is it possible at all ?
Yes, it is, and there is a new guide describing it.
2 Likes
It looks like the guide instructs us to generate our own. I am not an expert on the subject of cert signing sadly. Is consul-agent-ca.pem the existing CA ?
Yes, it is.
As seen in the command
$ openssl x509 -req -in server1.dc1.consul.csr -CA consul-agent-ca.pem -CAkey consul-agent-ca-key.pem -CAcreateserial -out server1.dc1.consul.crt
and the manpage of openssl
-CA filename
specifies the CA certificate to be used for signing. When this option is present x509 behaves like a “mini CA”. The input file is signed by this CA using this option: that is its issuer name is set to the subject name of the CA and it is digitally signed using the CAs private key.
This option is normally combined with the -req option. Without the -req option the input is a certificate which must be self signed.