Secure agent communication with TLS

This page will cover the activation of TLS on an already existing cluster. This will not cover certificate renewals. I suspect consul generated certs will be pretty long lived but who knows...

Generate the certificates

Following: https://learn.hashicorp.com/tutorials/consul/tls-encryption-secure#initialize-the-built-in-ca

All certificate creation operations should be ran on the same node.

1. Create builtin agent CA and key

   bash consul tls ca create ==> Saved consul-agent-ca.pem ==> Saved consul-agent-ca-key.pem

2. Now create the agent server certificate

   That certificate will be used by consul agent servers.

   bash consul tls cert create -server -dc=yourfavdc ==> WARNING: Server Certificates grants authority to become a server and access all state in the cluster including root keys and all ACL tokens. Do not distribute them to production hosts that are not server nodes. Store them as securely as CA keys. ==> Using consul-agent-ca.pem and consul-agent-ca-key.pem ==> Saved yourfavdc-server-consul-0.pem ==> Saved yourfavdc-server-consul-0-key.pem