Consul
Rotate TLS Certificates for Consul on Virtual machines (VMs)
To maintain the security offered by TLS encryption, we recommend that you rotate TLS certificates often.
TLS certificates are part of Consul's reloadable configuration, so you do not need to restart the Consul agents when you renew certificates. As a result, there is no risk of downtime.
Rotate certificates for Consul server agents
To rotate certificates for Consul server agents complete the following steps:
- Generate new certificates for all server agents to replace the old ones.
- Distribute the new certificates to the server nodes.
- Reload Consul configuration on each server with the
consul reload
command.
Rotate certificates for Consul client agents
To rotate certificates for Consul client agents complete the following steps:
When using the auto-encryption method, Consul automatically rotates the client certificates without operator intervention.