Difficulty: Beginner
Estimated Time: 10 minutes

Secure Consul Agent Communication with TLS

In this hands-on lab, you will deploy a Consul datacenter that uses Vault to generate and manage certificates to secure agent communication.

This lab will guide you through the steps necessary to deploy Consul with TLS encryption enabled to secure agent-to-agent communication including RPC requests and the consensus protocol.

PKI Secrets Engine

Specifically, you will:

  • Start a Vault dev instance
  • Create a policy in Vault to allow certificate generation
  • Enable the PKI secrets engine in Vault
  • Initialize the CA and generate an intermediate certificate
  • Generate certificates for your Consul servers
  • Use consul-template to retrieve certificates at runtime
  • Perform a certificate rotation

If you are already familiar with the basics of Consul, but are not familiar with TLS encryption review the Secure Consul Agent Communication with TLS Encryption tutorial.

Review

In this hands-on lab, you deployed a secure Consul datacenter using Vault to generate and manage certificates.

The lab guided you through the steps necessary to deploy Consul with TLS encryption enabled to authorize access to the UI, API, CLI, services, and agents.

Specifically, you:

  • Started a Vault dev instance
  • Created a policy in Vault to allow certificate generation
  • Enabled the PKI secrets engine in Vault
  • Initialized the CA and generate an intermediate certificate
  • Generated certificates for your Consul servers
  • Used consul-template to retrieve certificates at runtime
  • Performed a certificate rotation

Next Steps

Now that you have tested TLS encryption in this interactive environment, use the (https://learn.hashicorp.com/tutorials/consul/tls-encryption-secure) tutorial to configure TLS encryption in your Consul datacenter.

Generate Certificates with Vault's PKI Secrets Engine for Consul TLS Encryption

Step 1 of 8

Lab Infrastructure Provisioning

There are a few components that need to be added to the environment; we are adding them now. Wait for the complete message and then move to the next step.

Example Output

 - Install prerequisites
 - Install Consul locally
 - Installing Consul x.y.z
 - Installing consul-template x.y.z
 - Installing Vault locally
 - Installing Vault x.y.z

and concluding with

- Complete! Move on to the next step.

Once this message appears, you are ready to continue.

Configuration files

While you wait for the provision to complete you can review the configuration files you are going to use for the lab:

File Description
ca.crt.tpl Template for CA certificate
agent.crt.tpl Template for agent certificate
agent.key.tpl Template for agent key
consul_template.hcl consul-template configuration file
cli.crt.tpl Template for CLI certificate
cli.key.tpl Template for CLI key
server.json Server agent configuration file
server-tls.json Server agent TLS configuration file
Terminal
consul-template
operator
Consul UI
Vault UI
Dashboard