mirror of https://github.com/hashicorp/consul
128 lines
4.2 KiB
Markdown
128 lines
4.2 KiB
Markdown
---
|
|
layout: commands
|
|
page_title: 'Commands: Connect CA'
|
|
description: >
|
|
The connect CA subcommand is used to view and modify the Connect Certificate
|
|
Authority (CA) configuration.
|
|
---
|
|
|
|
# Consul Connect Certificate Authority (CA)
|
|
|
|
Command: `consul connect ca`
|
|
|
|
The CA connect command is used to interact with Consul Connect's Certificate Authority
|
|
subsystem. The command can be used to view or modify the current CA configuration. See the
|
|
[Connect CA documentation](/consul/docs/connect/ca) for more information.
|
|
|
|
```text
|
|
Usage: consul connect ca <subcommand> [options] [args]
|
|
|
|
This command has subcommands for interacting with Consul Connect's
|
|
Certificate Authority (CA).
|
|
|
|
Here are some simple examples, and more detailed examples are available
|
|
in the subcommands or the documentation.
|
|
|
|
Get the configuration:
|
|
|
|
$ consul connect ca get-config
|
|
|
|
Update the configuration:
|
|
|
|
$ consul connect ca set-config -config-file ca.json
|
|
|
|
For more examples, ask for subcommand help or view the documentation.
|
|
|
|
Subcommands:
|
|
get-config Display the current Connect Certificate Authority (CA) configuration
|
|
set-config Modify the current Connect CA configuration
|
|
```
|
|
|
|
## get-config
|
|
|
|
This command displays the current CA configuration.
|
|
|
|
The table below shows this command's [required ACLs](/consul/api-docs/api-structure#authentication). Configuration of
|
|
[blocking queries](/consul/api-docs/features/blocking) and [agent caching](/consul/api-docs/features/caching)
|
|
are not supported from commands, but may be from the corresponding HTTP endpoint.
|
|
|
|
| ACL Required |
|
|
| ---------------- |
|
|
| `operator:write` |
|
|
|
|
Usage: `consul connect ca get-config [options]`
|
|
|
|
Corresponding HTTP API Endpoint: [\[GET\] /v1/connect/ca/configuration](/consul/api-docs/connect/ca#get-ca-configuration)
|
|
|
|
#### API Options
|
|
|
|
@include 'http_api_options_client.mdx'
|
|
|
|
@include 'http_api_options_server.mdx'
|
|
|
|
The output looks like this:
|
|
|
|
```
|
|
{
|
|
"Provider": "consul",
|
|
"Config": {},
|
|
"CreateIndex": 5,
|
|
"ModifyIndex": 197
|
|
}
|
|
```
|
|
|
|
## set-config
|
|
|
|
Modifies the current CA configuration. If this results in a new root certificate
|
|
being used, the [Root Rotation](/consul/docs/connect/ca#root-certificate-rotation) process
|
|
will be triggered.
|
|
|
|
The table below shows this command's [required ACLs](/consul/api-docs/api-structure#authentication). Configuration of
|
|
[blocking queries](/consul/api-docs/features/blocking) and [agent caching](/consul/api-docs/features/caching)
|
|
are not supported from commands, but may be from the corresponding HTTP endpoint.
|
|
|
|
| ACL Required |
|
|
| ---------------- |
|
|
| `operator:write` |
|
|
|
|
Usage: `consul connect ca set-config [options]`
|
|
|
|
Corresponding HTTP API Endpoint: [\[PUT\] /v1/connect/ca/configuration](/consul/api-docs/connect/ca#update-ca-configuration)
|
|
|
|
The output looks like this:
|
|
|
|
```
|
|
Configuration updated!
|
|
```
|
|
|
|
The return code will indicate success or failure.
|
|
|
|
~> **If currently using Vault CA provider:**
|
|
If you intend to change the CA provider from Vault to another,
|
|
or to change the Vault provider's [`RootPKIPath`](/consul/docs/connect/ca/vault#rootpkipath),
|
|
you must temporarily elevate the privileges of the Vault token
|
|
or auth method in use as described in the
|
|
[Vault CA provider documentation](/consul/docs/connect/ca/vault#additional-vault-acl-policies-for-sensitive-operations).
|
|
|
|
#### Command Options
|
|
|
|
- `-config-file` - (required) Specifies a JSON-formatted file to use for the new configuration.
|
|
The format of this config file matches the request payload documented in the
|
|
[Update CA Configuration API](/consul/api-docs/connect/ca#update-ca-configuration).
|
|
|
|
- `-force-without-cross-signing` `(bool: <optional>)` - Indicates that the CA change
|
|
should be forced to complete even if the current CA doesn't support root cross-signing.
|
|
|
|
~> **Caution:** Use of this flag will cause temporary connection failures
|
|
until service mesh proxies and/or Consul client agents receive a new certificate
|
|
that establishes trust with the new root.
|
|
Do not use this flag unless you are sure you need it.
|
|
Refer to [Forced Rotation Without Cross-Signing](/consul/docs/connect/ca#forced-rotation-without-cross-signing)
|
|
for more detail.
|
|
|
|
#### API Options
|
|
|
|
@include 'http_api_options_client.mdx'
|
|
|
|
@include 'http_api_options_server.mdx'
|