Before beginning your Consul journey, understand that a Consul cluster includes two Certificate Authorities (CAs): the Primary CA and the Connect CA. The Primary CA manages certificates for the Consul cluster's internal operations, while the Connect CA secures service-to-service communication within the cluster.

Primary CA — Used for Consul agent to agent RPC Communication. It's typically managed by the consul TLS CLI command. The following is the one that deals with the Consul agent configs below:

{
... 
  "ca_file": "/etc/consul.d/consul-agent-ca.pem",
  "cert_file": "/etc/consul.d/colo-b-server-consul-0.pem",
  "key_file": "/etc/consul.d/colo-b-server-consul-0-key.pem",
  "auto_encrypt": {
    "allow_tls": true
  },

Connect CA — It’s a “built-in CA” and will be automatically created when connect.enable = true in the Consul configuration. It is used for Consul’s mTLS communication between Services within the Service Mesh.
- With the API endpoint below, you’re querying the Connect CA Roots, not the Primary CA root certs.
- ```
  $ curl http://localhost:8500/v1/connect/ca/roots
```
- You can also switch to external Vault as the Connect CA as well, but it requires a lot of configuration, for example:
- ```
  connect {
    enabled = true
    ca_provider = "vault"
    ca_config {
      address = "http://localhost:8200"
      token = "<vault-token-with-necessary-policy>"
      root_pki_path = "connect-root"
      intermediate_pki_path = "connect-dc1-intermediate"
    }
  }
```

Finally, both CAs can be either Consul's built-in CA or an external CA.

CAs in Consul

Subscribe to my newsletter

Bruce L

Bruce L