TLS certificate generation question

Consul
1

Hi All,

I am trying to set up a Consul cluster with 3 servers and 2 clients and would like to import TLS with our own CA authority. According to the link:

It says the Common Name should contain “server..”, what if there are several servers/clients in the cluster? Could different consul server share the same Common Name? Since in our environment, any CN must be resolvable in the DNS.

Thanks.

2

Well, I just created a new cert via consul cli, it seems the CN is not required but you have to include server.. in the DNS:

[dujas@centos8-7 ~]$ openssl x509 -in dc1-server-consul-1.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            4e:c1:fa:5c:c7:ed:ff:fe:d8:ba:17:17:17:49:d6:2e
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: C = US, ST = CA, L = San Francisco, street = 101 Second Street, postalCode = 94105, O = HashiCorp Inc., CN = Consul Agent CA 325971011007093999275685970307785688664
        Validity
            Not Before: Aug 25 08:20:17 2022 GMT
            Not After : Aug 25 08:20:17 2023 GMT
        Subject: CN = server.dc1.consul
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:3f:94:8d:51:b6:ba:f4:64:96:58:20:1c:99:45:
                    b4:66:4a:cf:50:0e:ae:a5:4f:42:4a:b1:84:e7:a7:
                    1a:a2:e7:6b:f5:1b:a3:f9:2f:32:4c:ac:87:e6:b7:
                    be:bb:72:db:69:aa:ff:df:3d:2b:66:b0:c8:29:f2:
                    bd:9a:ae:c8:ea
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                3A:32:64:07:81:C2:C1:67:CE:07:33:85:1C:3D:50:61:6F:2F:57:14:2D:08:BE:14:B2:DC:00:D9:0F:33:A1:19
            X509v3 Authority Key Identifier:
                keyid:88:81:77:32:68:4C:D6:07:F5:31:5E:D1:4D:B9:CA:4F:17:40:7D:F1:6C:0A:CF:92:6D:17:11:39:A8:22:E0:61

            X509v3 Subject Alternative Name:
                DNS:server.dc1.consul, DNS:localhost, IP Address:127.0.0.1
    Signature Algorithm: ecdsa-with-SHA256
         30:46:02:21:00:e7:e2:df:56:7d:16:73:2e:ef:01:c1:54:5b:
         da:a7:73:1c:7e:25:28:91:c4:de:76:a7:7c:83:b2:9e:40:6d:
         f3:02:21:00:86:d7:6d:43:ef:bc:c5:8f:8b:7a:58:fe:71:ef:
         5b:44:c7:3f:87:ad:0c:60:dd:b0:e5:be:45:88:59:2d:6b:c5