Security benefit of custom CA for Raft storage mTLS

Hi,

I was wondering if a custom CA for Raft storage communication is recommended. I am referring to the options leader-ca-cert, leader-client-cert and leader-client-key that can be specified when running vault operator raft join or in the retry_join block in Vault’s config.

HashiCorp tutorials and docs don’t mention the above options for integrated storage as far as I could see (except that they exist). On this docs page, it says:

Once nodes are joined to one another they begin to communicate using mTLS over Vault’s cluster port. The cluster port defaults to 8201 . The TLS information is exchanged at join time and is rotated on a cadence.

What’s the benefit of the options above then? Ensuring authenticity at join time? As I understand, the unseal keys are used as authentication when joining a Raft node to the cluster. I suppose an attacker that has the unseal keys could get all secrets by joining the cluster if no custom CA is used. However, if an attacker has the unseal keys, he could mint a new root token and access secrets anyways.

Thanks
Nick

Hi,

in case anyone else is wondering the same and stumbles on this thread, this is what I found: if tls_require_and_verify_client_cert isn’t enabled in your listener, using client certificates in the raft configuration doesn’t provide benefits because it is also possible to join without a client certificate.

Specifying a leader CA to verify the server certificate always makes sense. In my case, the server certificate is signed by a company internal CA. If an attacker can hijack traffic somehow, he still can’t MitM a raft join request without a certificate that is signed by the leader CA. As suspected, the leader CA and client certificate is only relevant at join time and has no effect otherwise.

Best
Nick