Separate client certificates

[danielkucera]

The consul documentation is strongly against using server certs on clients: In order to authenticate Consul servers, servers are provided with a special certificate - one that contains server.dc1.consul in the Subject Alternative Name. If you enable verify_server_hostname, only agents that provide such certificate are allowed to boot as a server. Without verify_server_hostname = true an attacker could compromise a Consul client agent and restart the agent as a server in order to get access to all the data in your cluster! This is why server certificates are special, and only servers should have them provisioned. https://learn.hashicorp.com/consul/advanced/day-1-operations/certificates#step-2-create-individual-server-certificates

It would be nice to be able to use separate certs for agents.