Is there a way to use the own TLS certificate in consul service mesh instead of the certficiates issued by consul?

Consul
1

Hello,
I am using the Consul for service mesh. My microservices are located in the Kubernetes, and my Consul servers are deployed on the VMs. I used the Consul Helm Chart to deploy the connect injector for injecting the Envoy sidecar proxy within every microservice pod inside every microservice container. I use mesh in non-transparent mode, and I specified the upstream service for every microservice. After the envoy proxies, are deployed I get the config dump of one of the envoy proxies, and it contains the certificate for each upstream service like this:

"transport_socket": {
    "name": "tls",
    "typed_config": {
     "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext",
     "common_tls_context": {
      "tls_params": {
       "tls_maximum_protocol_version": "TLSv1_3"
      },
      "tls_certificates": [
       {
        "certificate_chain": {
         "inline_string": "-----BEGIN CERTIFICATE-----\nsome certificate\n-----END CERTIFICATE-----\n"
        },
        "private_key": {
         "inline_string": "[redacted]"
        }
       }
      ],
      "validation_context": {
       "trusted_ca": {
        "inline_string": "-----BEGIN CERTIFICATE-----\nsome certificate\n-----END CERTIFICATE-----\n"
       },
       "match_typed_subject_alt_names": [
        {
         "san_type": "URI",
         "matcher": {
          "exact": "spiffe://60fdcd0c-7a68-01c8-b080-772166a3a5fb.consul/ns/default/dc/us-central/svc/tax-collection-keymanager-svc"
         }
        }
       ]
      }
     },
     "sni": "tax-collection-keymanager-svc.default.us-central.internal.60fdcd0c-7a68-01c8-b080-772166a3a5fb.consul"
    }
}

Now I want to know: Is there a way to use my TLS certificates and private key, instead of the certificates and private keys that were issued by the Consul?

2

The biggest issue I see when trying to manage this your self is

  1. How would you implement short lived certificates? normally these certificates are short lived certs like only valid for about 24 hours. how will you manage the rotation of these.
  2. If your talking about generating the client certs for the proxy for the service how do you manage the SPIFFE part that ensures the TLS is compliant with SPIFFE X509 Identity Documents

If you want them signed by say your own CA or intermediate CA maybe check out this article that utilises vault and your own CA to create service mesh certs for MTLS

Generate mTLS Certificates for Consul with Vault | Consul | HashiCorp Developer?

3

Thanks for your reply

  1. You’re right. The certificate rotation feature is very useful but suppose for some reasons the own certificate is preferred. For example suppose I want to use different signature algorithms. The default signature algorithm as I saw is prime256v1 but I want to use secp521r1. Is it possible to select signature algorithm? Is it possible to change CA root? If I change the CA root with the desired signature algorithms, then is the leaf certificate change correspondingly? In this link is wrote: “The built-in CA generates and stores the root certificate and private key on Consul servers. It can also be configured with a custom certificate and private key if needed.” How to config it with coustom certificate and private key?

  2. I think this is not makes issue. Trust domain is fix and and I generate the certificates according to it.