From 5ddd20e61c4f06dc6e16b0e7a8a05ac4386cb5e6 Mon Sep 17 00:00:00 2001 From: kitography Date: Mon, 6 Jan 2025 16:47:06 -0500 Subject: [PATCH 1/6] Add information about an enterprise feature related to validating issued certificates to the PKI API docs. --- website/content/api-docs/secret/pki/index.mdx | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/website/content/api-docs/secret/pki/index.mdx b/website/content/api-docs/secret/pki/index.mdx index abe7c34af202..5a7ff4cd1590 100644 --- a/website/content/api-docs/secret/pki/index.mdx +++ b/website/content/api-docs/secret/pki/index.mdx @@ -2758,6 +2758,33 @@ do so, import a new issuer and a new `issuer_id` will be assigned. ~> **Note**: If no cluster-local address is present and templating is used, issuance will fail. +- `disable_critical_extension_checks` `(bool: false)` + - This determines whether this issuer is able + to issue certificates where the chain of trust (including the issued + certificate) contain critical extensions not processed by vault, breaking the + behavior required by https://www.rfc-editor.org/rfc/rfc5280#section-6.1 . + +- `disable_path_length_checks` `(bool: false)` + - This determines whether this issuer is able + to issue certificates where the chain of trust (including the final issued + certificate) is longer than allowed by a certificate authority in that chain, + breaking the behavior required by + https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.9 . + +- `disable_name_checks` `(bool: false)` + - This determines whether this issuer is able + to issue certificates where the chain of trust (including the final issued + certificate) contains a link in which the subject of the issuing certificate + does not match the named issuer of the certificate it signed, breaking the + behavior required by https://www.rfc-editor.org/rfc/rfc5280#section-4.1.2.4 . + +- `disable_name_constraint_checks` `(bool: false)` + - This determines whether this issuer is able + to issue certificates where the chain of trust (including the final issued + certificate) violates the name constraints critical extension of one of the + issuer certificates in the chain, breaking the behavior required by + https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.10 . + #### Sample payload ```json From 29627725a820197bbbb5238fad91ac7c6fd91da2 Mon Sep 17 00:00:00 2001 From: Kit Haines Date: Tue, 7 Jan 2025 12:12:16 -0500 Subject: [PATCH 2/6] Update website/content/api-docs/secret/pki/index.mdx Update RFC name and link, as suggested by Steve. Co-authored-by: Steven Clark --- website/content/api-docs/secret/pki/index.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/content/api-docs/secret/pki/index.mdx b/website/content/api-docs/secret/pki/index.mdx index 5a7ff4cd1590..a2918e476f83 100644 --- a/website/content/api-docs/secret/pki/index.mdx +++ b/website/content/api-docs/secret/pki/index.mdx @@ -2762,7 +2762,7 @@ do so, import a new issuer and a new `issuer_id` will be assigned. - This determines whether this issuer is able to issue certificates where the chain of trust (including the issued certificate) contain critical extensions not processed by vault, breaking the - behavior required by https://www.rfc-editor.org/rfc/rfc5280#section-6.1 . + behavior required by [RFC 5280 Section 6.1](https://www.rfc-editor.org/rfc/rfc5280#section-6.1). - `disable_path_length_checks` `(bool: false)` - This determines whether this issuer is able From b3312be37e29c9c17c776bfd017b2f6903535985 Mon Sep 17 00:00:00 2001 From: Kit Haines Date: Tue, 7 Jan 2025 12:12:36 -0500 Subject: [PATCH 3/6] Update website/content/api-docs/secret/pki/index.mdx Update RFC name and link, as suggested by Steve. Co-authored-by: Steven Clark --- website/content/api-docs/secret/pki/index.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/content/api-docs/secret/pki/index.mdx b/website/content/api-docs/secret/pki/index.mdx index a2918e476f83..c86273300765 100644 --- a/website/content/api-docs/secret/pki/index.mdx +++ b/website/content/api-docs/secret/pki/index.mdx @@ -2769,7 +2769,7 @@ do so, import a new issuer and a new `issuer_id` will be assigned. to issue certificates where the chain of trust (including the final issued certificate) is longer than allowed by a certificate authority in that chain, breaking the behavior required by - https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.9 . + [RFC 5280 Section 4.2.1.9](https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.9). - `disable_name_checks` `(bool: false)` - This determines whether this issuer is able From 8df1868b97924fb5c23994c62666b0d0a4e4c133 Mon Sep 17 00:00:00 2001 From: Kit Haines Date: Tue, 7 Jan 2025 12:12:51 -0500 Subject: [PATCH 4/6] Update website/content/api-docs/secret/pki/index.mdx Update RFC name and link, as suggested by Steve. Co-authored-by: Steven Clark --- website/content/api-docs/secret/pki/index.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/content/api-docs/secret/pki/index.mdx b/website/content/api-docs/secret/pki/index.mdx index c86273300765..1755926572ff 100644 --- a/website/content/api-docs/secret/pki/index.mdx +++ b/website/content/api-docs/secret/pki/index.mdx @@ -2783,7 +2783,7 @@ do so, import a new issuer and a new `issuer_id` will be assigned. to issue certificates where the chain of trust (including the final issued certificate) violates the name constraints critical extension of one of the issuer certificates in the chain, breaking the behavior required by - https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.10 . + [RFC 5280 Section 4.2.1.10](https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.10). #### Sample payload From b72ab0bc4c3414b11c8b9400dead9153a4646fa9 Mon Sep 17 00:00:00 2001 From: Kit Haines Date: Tue, 7 Jan 2025 12:13:10 -0500 Subject: [PATCH 5/6] Update website/content/api-docs/secret/pki/index.mdx Update RFC name and link, as suggested by Steve. Co-authored-by: Steven Clark --- website/content/api-docs/secret/pki/index.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/content/api-docs/secret/pki/index.mdx b/website/content/api-docs/secret/pki/index.mdx index 1755926572ff..8aecbc2db60f 100644 --- a/website/content/api-docs/secret/pki/index.mdx +++ b/website/content/api-docs/secret/pki/index.mdx @@ -2776,7 +2776,7 @@ do so, import a new issuer and a new `issuer_id` will be assigned. to issue certificates where the chain of trust (including the final issued certificate) contains a link in which the subject of the issuing certificate does not match the named issuer of the certificate it signed, breaking the - behavior required by https://www.rfc-editor.org/rfc/rfc5280#section-4.1.2.4 . + behavior required by [RFC 5280 Section 4.1.2.4](https://www.rfc-editor.org/rfc/rfc5280#section-4.1.2.4). - `disable_name_constraint_checks` `(bool: false)` - This determines whether this issuer is able From 54b1425df1ab14d60f6d91ee8b8ca51c0655895e Mon Sep 17 00:00:00 2001 From: kitography Date: Tue, 7 Jan 2025 12:14:54 -0500 Subject: [PATCH 6/6] Update enterprise tag to be on the same line for vercel reasons. --- website/content/api-docs/secret/pki/index.mdx | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/website/content/api-docs/secret/pki/index.mdx b/website/content/api-docs/secret/pki/index.mdx index 8aecbc2db60f..889438116e08 100644 --- a/website/content/api-docs/secret/pki/index.mdx +++ b/website/content/api-docs/secret/pki/index.mdx @@ -2758,28 +2758,24 @@ do so, import a new issuer and a new `issuer_id` will be assigned. ~> **Note**: If no cluster-local address is present and templating is used, issuance will fail. -- `disable_critical_extension_checks` `(bool: false)` - - This determines whether this issuer is able +- `disable_critical_extension_checks` `(bool: false)` - This determines whether this issuer is able to issue certificates where the chain of trust (including the issued certificate) contain critical extensions not processed by vault, breaking the behavior required by [RFC 5280 Section 6.1](https://www.rfc-editor.org/rfc/rfc5280#section-6.1). -- `disable_path_length_checks` `(bool: false)` - - This determines whether this issuer is able +- `disable_path_length_checks` `(bool: false)` - This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) is longer than allowed by a certificate authority in that chain, breaking the behavior required by [RFC 5280 Section 4.2.1.9](https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.9). -- `disable_name_checks` `(bool: false)` - - This determines whether this issuer is able +- `disable_name_checks` `(bool: false)` - This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) contains a link in which the subject of the issuing certificate does not match the named issuer of the certificate it signed, breaking the behavior required by [RFC 5280 Section 4.1.2.4](https://www.rfc-editor.org/rfc/rfc5280#section-4.1.2.4). -- `disable_name_constraint_checks` `(bool: false)` - - This determines whether this issuer is able +- `disable_name_constraint_checks` `(bool: false)` - This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) violates the name constraints critical extension of one of the issuer certificates in the chain, breaking the behavior required by