website: update docs for leaf cert TTL option

hashicorp · Jul 16, 2018 · 6465b13 · 6465b13
1 parent d6ca015
commit 6465b13
Show file tree

Hide file tree

Showing 4 changed files with 18 additions and 2 deletions.
diff --git a/website/source/api/connect/ca.html.md b/website/source/api/connect/ca.html.md
@@ -91,8 +91,7 @@ $ curl \
 {
     "Provider": "consul",
     "Config": {
-        "PrivateKey": null,
-        "RootCert": null,
+        "LeafCertTTL": "72h",
         "RotationPeriod": "2160h"
     },
     "CreateIndex": 5,
@@ -133,8 +132,10 @@ providers, see [Provider Config](/docs/connect/ca.html).
 {
     "Provider": "consul",
     "Config": {
+        "LeafCertTTL": "72h",
         "PrivateKey": "-----BEGIN RSA PRIVATE KEY-----...",
         "RootCert": "-----BEGIN CERTIFICATE-----...",
+        "RotationPeriod": "2160h"
     }
 }
 ```

diff --git a/website/source/docs/agent/options.html.md b/website/source/docs/agent/options.html.md
@@ -717,6 +717,14 @@ Consul will not enable TLS for the HTTP API unless the `https` port has been ass
         `write` access to this backend, as well as permission to mount the backend at this path if it is not 
         already mounted.
 
+        #### Common CA Config Options
+
+        <p>There are also a number of common configuration options supported by all providers:</p>
+        
+        * <a name="ca_leaf_cert_ttl"></a><a href="#ca_leaf_cert_ttl">`leaf_cert_ttl`</a> The lease duration of
+        a leaf certificate issued for a service, after which a new certificate will be requested by the proxy.
+        Defaults to `72h`.
+
     * <a name="connect_proxy"></a><a href="#connect_proxy">`proxy`</a> This object allows setting options for the Connect proxies. The following sub-keys are available:
 
         * <a name="connect_proxy_allow_managed_registration"></a><a href="#connect_proxy_allow_managed_registration">`allow_managed_api_registration`</a> Allows managed proxies to be configured with services that are registered via the Agent HTTP API. Enabling this would allow anyone with permission to register a service to define a command to execute for the proxy. By default, this is false to protect against arbitrary process execution.

diff --git a/website/source/docs/connect/ca.html.md b/website/source/docs/connect/ca.html.md
@@ -88,6 +88,7 @@ $ curl http://localhost:8500/v1/connect/ca/configuration
 {
     "Provider": "consul",
     "Config": {
+        "LeafCertTTL": "72h",
         "RotationPeriod": "2160h"
     },
     "CreateIndex": 5,

diff --git a/website/source/docs/connect/ca/consul.html.md b/website/source/docs/connect/ca/consul.html.md
@@ -53,6 +53,9 @@ is used if configuring in an agent configuration file.
     bootstrap with the ".consul" TLD. The cluster identifier can be found
     using the [CA List Roots endpoint](/api/connect/ca.html#list-ca-root-certificates).
 
+There are also [common CA configuration options](/docs/agent/options.html#common-ca-config-options)
+that are supported by all CA providers.
+
 ## Specifying a Custom Private Key and Root Certificate
 
 By default, a root certificate and private key will be automatically
@@ -69,6 +72,7 @@ $ curl localhost:8500/v1/connect/ca/configuration
 {
     "Provider": "consul",
     "Config": {
+        "LeafCertTTL": "72h",
         "RotationPeriod": "2160h"
     },
     "CreateIndex": 5,
@@ -99,6 +103,7 @@ $ jq -n --arg key "$(cat root.key)"  --arg cert "$(cat root.crt)" '
 {
     "Provider": "consul",
     "Config": {
+        "LeafCertTTL": "72h",
         "PrivateKey": $key,
         "RootCert": $cert,
         "RotationPeriod": "2160h"
@@ -113,6 +118,7 @@ $ cat ca_config.json
 {
   "Provider": "consul",
   "Config": {
+    "LeafCertTTL": "72h",
     "PrivateKey": "-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQEArqiy1c3pbT3cSkjdEM1APALUareU...",
     "RootCert": "-----BEGIN CERTIFICATE-----\nMIIDijCCAnKgAwIBAgIJAOFZ66em1qC7MA0GCSqGSIb3...",
     "RotationPeriod": "2160h"