Acquisition complete HashiCorp officially joins the IBM family. Learn more
Consul
Consul Home

You are viewing documentation for pre-release version v1.21.0 (rc). View latest version.

Bootstrap certificate authority on virtual machines (VM)

Consul service mesh comes with a built-in Certificate Authority (CA) that will bootstrap by default when you first enable Consul service mesh on your servers.

To use the built-in CA, enable it in the server's configuration.

connect {
  enabled = true
}

This configuration change requires a Consul server restart, which you can perform one server at a time to maintain availability in an existing datacenter.

When a server is enabled with Consul Service mesh and becomes the leader, it will bootstrap a new CA and generate it's own private key which is written to the Raft state.

Alternatively, an external private key can be provided via the CA configuration.

External CAs: Consul has been designed with a pluggable CA component so external CAs can be integrated. For production workloads we recommend using Vault or another external CA once available such that the root key is not stored within Consul state at all.