Update cert.mdx

[johncooler]

Description

-domain flag is required not only for server certificate creation

Testing & Reproduction steps

# create CA with DNS constraint
consul tls ca create -name-constraint -domain consul.local

# create server certificates respectively
consul tls cert create  -domain consul.local -ca consul.local-agent-ca.pem  -key consul.local-agent-ca-key.pem -server
consul tls cert create  -domain consul.local -ca consul.local-agent-ca.pem  -key consul.local-agent-ca-key.pem -server
consul tls cert create  -domain consul.local -ca consul.local-agent-ca.pem  -key consul.local-agent-ca-key.pem -server

# fails
consul tls cert create   -ca consul.local-agent-ca.pem  -key consul.local-agent-ca-key.pem -client

# works
consul tls cert create  -domain consul.local -ca consul.local-agent-ca.pem  -key consul.local-agent-ca-key.pem -client

Links

PR Checklist

• updated test coverage
• external facing docs updated
• appropriate backport labels added
• not a security concern

[johncooler]

I also see conditional problem with client certificate issuing

I can't use -node parameter to set different subdomain in SubjectAltName field
each client certificate have the same client.dc1.consul DNS name

If try to create such certificates through -server command parameter, CN field would match server certificates, I don't want it

Now I try to use cfssl utility with 2 intermediate certificates, I sure it would work

[johncooler]

@tgross I had successful conversation with you before, so I hope you can help with that issue

[tgross]

Hi @johncooler! Thanks for the PR. There's a set of required reviewers for this repo, and just due to internal arrangement of teams I'm not in that list. 😀 It looks like this has been appropriately tagged for review, so I imagine they'll come along once they're available.

[johncooler]

@tgross thanks a lot, let's be in touch