From 1ec3397899b6b7286720f95bfe716f54aef2bd42 Mon Sep 17 00:00:00 2001
From: hc-github-team-secure-vault-core
 <82990506+hc-github-team-secure-vault-core@users.noreply.github.com>
Date: Fri, 17 Feb 2023 14:31:58 -0500
Subject: [PATCH] backport of commit 0c2fadca9e7aafa23fd8f26cbac992fd16b8cd63
 (#19251)

Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>
---
 website/content/docs/auth/cert.mdx | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/website/content/docs/auth/cert.mdx b/website/content/docs/auth/cert.mdx
index 385e60bdaf1d..d63a50da3613 100644
--- a/website/content/docs/auth/cert.mdx
+++ b/website/content/docs/auth/cert.mdx
@@ -11,7 +11,9 @@ description: >-
 @include 'x509-sha1-deprecation.mdx'
 
 The `cert` auth method allows authentication using SSL/TLS client certificates
-which are either signed by a CA or self-signed.
+which are either signed by a CA or self-signed. SSL/TLS client certificates
+are defined as having an `ExtKeyUsage` extension with the usage set to either
+`ClientAuth` or `Any`.
 
 The trusted certificates and CAs are configured directly to the auth method
 using the `certs/` path. This method cannot read trusted certificates from an