Update CA provider docs

Clarify that providers can differ between primary and secondary datacenters Provide a comparison chart for consul vs vault CA providers
hashicorp · Jun 21, 2023 · 9a1f688 · 9a1f688
1 parent f17b7f3
commit 9a1f688
Showing 1 changed file with 17 additions and 4 deletions.
diff --git a/website/content/docs/connect/ca/index.mdx b/website/content/docs/connect/ca/index.mdx
@@ -21,7 +21,7 @@ support for using
 [Vault as a CA](/consul/docs/connect/ca/vault). With Vault, the root certificate
 and private key material remain with the Vault cluster.
 
-### CA and Certificate relationship
+## CA and Certificate relationship
 
 This diagram shows the relationship between the CA certificates in a Consul primary datacenter and a
 secondary Consul datacenter.
@@ -34,9 +34,22 @@ services.
 - the Leaf Cert Client Agent is created by auto-encrypt and auto-config. It is used by
 client agents for HTTP API TLS, and for mTLS for RPC requests to servers.
 
-Any secondary datacenters receive an intermediate certificate, signed by the Primary Root
-CA, which is used as the CA certificate to sign leaf certificates in the secondary
-datacenter.
+Any secondary datacenters use their CA provider to generate an intermediate certificate
+signing request (CSR) to be signed by the Primary Root CA. They receive an intermediate
+CA certificate which is used to sign leaf certificates in the secondary datacenter.
+
+It is possible to use different providers across primary and secondary datacenters.
+For example, an operator may use a Vault CA provider for extra security in the primary
+datacenter but choose to use the built-in CA provider in the secondary datacenter which
+may not have a reachable Vault cluster. The pros and cons of both providers are listed below.
+
+## CA Provider Comparison
+
+|            | Consul built-in                    | Vault                                                                             |
+|------------|------------------------------------|-----------------------------------------------------------------------------------|
+| Security   | CA private keys are stored on disk | CA private keys are stored in Vault and are never exposed to Consul server agents |
+| Resiliency | No dependency on external systems; if Consul is available, it can sign certs | Dependent on Vault availability         |
+| Latency    | Certs are signed locally           | Cert signing operations require a network call to Vault                           |
 
 ## CA Bootstrapping