Consul Connect: Explain how to generate a custom certificate

[leoblanc]

Overview

This is a documentation enhancement request. This page says:

Consul ships with a built-in CA system so that Connect can be easily enabled out of the box. The built-in CA generates and stores the root certificate and private key on Consul servers. It can also be configured with a custom certificate and private key if needed.

That's what I'm trying to achieve: providing a custom certificate to Consul Connect. The same page says below:

Currently consul requires that root certificates are valid SPIFFE SVID Signing certificates and that the URI encoded in the SAN is the cluster identifier created at bootstrap with the ".consul" TLD. In this example, we will set the URI SAN to spiffe://36cb52cd-4058-f811-0432-6798a240c5d3.consul.

Request

I have two questions/blockers. If you can add this info to the documentation, I'm sure it will be very useful for others:

1. How can I get the cluster identifier created at bootstrap? I have reviewed the Consul's API and I can't find an endpoint to get that information. I have reviewed the Consul's logs and I can't find it either. Where can I find this uuid?

2. Maybe this is out of the scope of the Consul's documentation but, can you at least provide a link to a page that explains how to generate a SPIFFE certificate?

Thank you very much in advance!

[ashwinkupatkar]

I am also facing similar issue.

Thanks @leoblanc for raising the issue.

[ashwinkupatkar]

Hey @leoblanc,

If this issue is unresolved for you. Please check on this thread https://discuss.hashicorp.com/t/trouble-getting-consul-connect-and-envoy-to-work/6415/28

I could get pass the issue of generating custom root SPIFFE svid signing certificates, when using built-in Connect CA.

Special thanks to quinndiggity for all this assistance in the issue.

[leoblanc]

@ashwinkupatkar Thank you very much! I'm reading it. And thanks to quinndiggity too.