Ensure CA provider config changes result in certificate regeneration across all CA providers

[preetapan]

Currently, changes to two different fields private-key-bits and private-key-type in the CA provider config for Consul connect, don't result in regenerating root certificates.

This results in confusing UX because changes don't take effect after the config is updated , and leads to mismatched expectations particularly when the changes affect the type of encryption used etc.

All providers implement this logic differently, and we will need to create follow up issues per provider to make sure nuances like the intermediate mount point in the Vault CA provider is updated correctly.

• consul builtin
• vault
• AWS PCA

[tristanmorgan]

Hi @preetapan , should the changes in private-key-bits always result in the root CA (as opposed to the consul controlled intermediate CA) requiring a reconfiguration?

My example is: I have a Root CA that has EC, 521 bit keys for its certificate while my Intermediate still EC, used 256 bit keys and generates leaf certs with the same EC 256.

With the changes in #10331 I now get the error of cannot update the PrivateKeyBits field without choosing a new PKI mount for the root CA when I try to use the same Root CA mount for Consul Connect.

[dnephin]

Thank you for reporting this problem! I just wrote up #12246 which I believe may describe the problem you encountered. Given these problems, I think we may need to either change this validation, or remove it.