Encrypt API gateway traffic on virtual machines
This topic describes how to make TLS certificates available to API gateways so that requests between the user and the gateway endpoint are encrypted.
- Consul 1.15 or later
- You must have a certificate and key from your CA
- A Consul cluster with service mesh enabled. Refer to
- Network connectivity between the machine deploying the API gateway and a Consul cluster agent or server
If ACLs are enabled, you must present a token with the following permissions to configure Consul and deploy API gateways:
Refer Mesh Rules for additional information about configuring policies that enable you to interact with Consul API gateway configurations.
- Create an
inline-certificateconfiguration entry and specify the following fields:
Kind: Specifies the type of configuration entry. This must be set to
Name: Specify the name in the API gateway listener configuration to bind the certificate to that listener.
Certificate: Specifies the inline public certificate to use for TLS as plain text.
PrivateKey: Specifies the inline private key to use for TLS as plain text.
- Configure any additional fields necessary for your use case, such as the namespace or admin partition. Refer to the
inline-certificateconfiguration entry reference for additional information.
- Save the configuration.
The following example defines a certificate named
my-certificate. API gateway configurations that specify
inline-certificate in the
Certificate.Kind field and
my-certificate in the
Certificate.Name field are able to use the certificate.
Kind = "inline-certificate" Name = "my-certificate" Certificate = <<EOF -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- EOF PrivateKey = <<EOF -----BEGIN RSA PRIVATE KEY----- ... -----END RSA PRIVATE KEY----- EOF
consul config write command to enable listeners to use the certificate. The following example writes a configuration called
$ consul config write my-certificate.hcl