CAs in Consul


Before beginning your Consul journey, understand that a Consul cluster includes two Certificate Authorities (CAs): the Primary CA and the Connect CA. The Primary CA manages certificates for the Consul cluster's internal operations, while the Connect CA secures service-to-service communication within the cluster.
- Primary CA — Used for Consul agent to agent RPC Communication. It's typically managed by the consul TLS CLI command. The following is the one that deals with the Consul agent configs below:
{
...
"ca_file": "/etc/consul.d/consul-agent-ca.pem",
"cert_file": "/etc/consul.d/colo-b-server-consul-0.pem",
"key_file": "/etc/consul.d/colo-b-server-consul-0-key.pem",
"auto_encrypt": {
"allow_tls": true
},
Connect CA — It’s a “built-in CA” and will be automatically created when
connect.enable = true
in the Consul configuration. It is used for Consul’s mTLS communication between Services within the Service Mesh.With the API endpoint below, you’re querying the Connect CA Roots, not the Primary CA root certs.
$ curl http://localhost:8500/v1/connect/ca/roots
You can also switch to external Vault as the Connect CA as well, but it requires a lot of configuration, for example:
connect { enabled = true ca_provider = "vault" ca_config { address = "http://localhost:8200" token = "<vault-token-with-necessary-policy>" root_pki_path = "connect-root" intermediate_pki_path = "connect-dc1-intermediate" } }
Finally, both CAs can be either Consul's built-in CA or an external CA.
Subscribe to my newsletter
Read articles from Bruce L directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by

Bruce L
Bruce L
I’ve been rocking the DevOps journey for a decade, starting with building Cisco’s software-defined datacenters for multi-region OpenStack infrastructures. I then shifted to serverless and container deployments for finance institutions. Now, I’m deep into service meshes like Consul, automating with Ansible and Terraform, and running workloads on Kubernetes and Nomad. Stick around for some new tech and DevOps adventures!