Setting Up Certificate-Based Access for Consul UI on Windows

Avatar
Rajat Singh
  • Updated

Overview

This article describes how to secure the Consul UI using TLS and mutual TLS (mTLS) and enable certificate-based access from a Windows machine. 

Prerequisites

  • Consul installed and running. Refer this.

Step 1: Create Certificates on the Linux Consul Server

Create a Certificate Authority (CA)

mkdir -p /opt/consul/tls
cd /opt/consul/tls

openssl genrsa -out consul-ca.key 4096

openssl req -x509 -new -nodes -key consul-ca.key \
  -sha256 -days 3650 \
  -subj "/CN=Consul-CA" \
  -out consul-ca.pem

Create the Consul Server Certificate

  1. Generate the server private key:

openssl genrsa -out consul-server.key 4096

  1. Create a certificate signing request (CSR):

openssl req -new -key consul-server.key \
  -subj "/CN=consul-server-1" \
  -out consul-server.csr

  1. Create a SAN configuration file (required for browsers):

cat > server-ext.cnf <<EOF
subjectAltName = IP:<Server-Pvt-IP>,DNS:consul-server-1
extendedKeyUsage = serverAuth, clientAuth
keyUsage = digitalSignature, keyEncipherment
EOF

  1. Sign the server certificate using the CA:

openssl x509 -req -in consul-server.csr \
  -CA consul-ca.pem -CAkey consul-ca.key -CAcreateserial \
  -out consul-server.pem -days 365 -sha256 \
  -extfile server-ext.cnf

Create the Client Certificate (for Windows Browser Access)

  1. Generate the client private key:

openssl genrsa -out consul-client.key 4096

  1. Create a CSR:

openssl req -new -key consul-client.key \
  -subj "/CN=consul-ui-user" \
  -out consul-client.csr

  1. Create a client extension config:

cat > client-ext.cnf <<EOF
extendedKeyUsage = clientAuth
EOF

  1. Sign the client certificate:

openssl x509 -req -in consul-client.csr \
  -CA consul-ca.pem -CAkey consul-ca.key -CAcreateserial \
  -out consul-client.pem -days 365 -sha256 \
  -extfile client-ext.cnf

Create a PKCS#12 File for Windows

Convert the client certificate into a Windows-compatible .pfx file:

openssl pkcs12 -export \
  -inkey consul-client.key \
  -in consul-client.pem \
  -certfile consul-ca.pem \
  -out consul-client.pfx

You will be prompted to set a password. This password is required during import on Windows.

2: Configure Consul for TLS and mTLS

Edit your Consul configuration file (e.g., /etc/consul.d/consul.hcl):

datacenter = "dc1"
data_dir   = "/opt/consul/data"
node_name  = "consul-server-1"

server     = true
bootstrap  = true

bind_addr   = "<Server-Pvt-IP>"
client_addr = "0.0.0.0"

ui_config {
  enabled = true
}

ports {
  http  = -1
  https = 8501
}

tls {
  defaults {
    ca_file   = "/opt/consul/tls/consul-ca.pem"
    cert_file = "/opt/consul/tls/consul-server.pem"
    key_file  = "/opt/consul/tls/consul-server.key"

    verify_incoming         = true
    verify_outgoing         = true
    verify_server_hostname  = true
  }

  https {
    verify_incoming = true
  }
}

Start Consul:

sudo systemctl start consul

3: Verify the Server Certificate

On the Consul server, validate the certificate extensions:

openssl x509 -in consul-server.pem -noout -text | grep -A2 "Extended Key Usage"

You must see:

  • TLS Web Server Authentication

  • TLS Web Client Authentication

4: Test Access from CLI

Test HTTPS access using the client certificate:

curl --cert consul-client.pem --key consul-client.key \
  --cacert consul-ca.pem \
  https://<Server-Pvt-IP>:8501/v1/status/leader

A successful response confirms mTLS is working.

5: Configure the Windows Machine

Copy Required Files to Windows

Copy the following files from the Linux Consul server to Windows:

  • consul-client.pfx

  • consul-ca.pem

Suggested location:

C:\consul-tls\

Import the Client Certificate (Authentication)

  1. Double-click consul-client.pfx

  2. Click Next

  3. Select Current User

  4. Click Next

  5. Click Browse and select:

    • Personal

  6. Enter the PFX password

  7. Leave defaults selected

  8. Click Finish

You should see: The import was successful

Trust the Consul CA (TLS Trust)

- Press Win + R, type mmc, press Enter
- Go to File → Add/Remove Snap-in
- Select Certificates, click Add
- Choose Computer account → Local computer
- Navigate to:
    Trusted Root Certification Authorities → Certificates
- Right-click Certificates → All Tasks → Import
- Browse to C:\consul-tls\consul-ca.pem
    File type: All Files or Base-64 encoded X.509
- Complete the wizard

You should see: The import was successful

Verify Certificates (Sanity Check)

Client Certificate

  • Press Win + R, type certmgr.msc

  • Navigate to:

    • Personal → Certificates

  • Confirm:

    • consul-ui-user exists

CA Certificate

  • Press Win + R, type certlm.msc

  • Navigate to:

    • Trusted Root Certification Authorities → Certificates

  • Confirm:

    • Consul-CA exists

Restart the Browser

Mandatory Step: Close all browser windows completely. Browsers cache certificate state.

Access the Consul UI

  1. Open Chrome or Edge

  2. Navigate to:

https://<Server-Pvt-IP>:8501

  1. When prompted, select the certificate:

    • consul-ui-user

  2. Click OK

Expected Result

  • With a valid client certificate: Consul UI loads successfully

  • Without a client certificate: Access is denied with error, "."

6. References

https://developer.hashicorp.com/consul/docs/secure/encryption/tls/enable/new/openssl
https://developer.hashicorp.com/consul/docs/secure/encryption/tls/enable/existing/vm

Articles in this section

See more