ca: relax (or remove) validation of PrivateKeyType/PrivateKeyBits #12246
Labels
theme/certificates
Related to creating, distributing, and rotating certificates in Consul
type/bug
Feature does not function as expected
This was added in #10331 as part of #9572.
The current validation works well if Consul is responsible for generating the root CA, but there's no requirement to have Consul generate the root CA. For both the built-in and Vault providers the user can setup the root CA ahead of time, and Consul will use the already configured CA. This manual setup will be required for #11910 (#11598).
For the manually configured root CA scenario, this validation causes problems. An example of the problem can be seen in this test case:
consul/agent/consul/leader_connect_ca_test.go
Lines 649 to 652 in 2881f23
The user is required to specify these values in the Consul config exclusively to get past the validation. The config values will never be used by Consul for the root CA.
Another example is this comment on the issue. The validation is preventing the user from changing the key bits used to generate intermediate certificates.
The text was updated successfully, but these errors were encountered: