From 41e384f8050c2b19b55301cf5c4573d991413983 Mon Sep 17 00:00:00 2001 From: hc-github-team-secure-vault-core <82990506+hc-github-team-secure-vault-core@users.noreply.github.com> Date: Wed, 22 Feb 2023 14:53:55 -0500 Subject: [PATCH] backport of commit 719391684925715019d7e0efdf07ae48133a0db7 (#19298) Co-authored-by: Alexander Scheel --- website/content/api-docs/secret/pki.mdx | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/website/content/api-docs/secret/pki.mdx b/website/content/api-docs/secret/pki.mdx index 66abcb6aca9d..3b9c14e09dce 100644 --- a/website/content/api-docs/secret/pki.mdx +++ b/website/content/api-docs/secret/pki.mdx @@ -3790,6 +3790,17 @@ expiration time. performance of OCSP and CRL building, by shifting work to a tidy operation instead. +~> Note: With multiple issuers, a CA which issued a particular revoked + certificate may be removed and re-added, resulting in a different issuer + ID value. When building CRLs, these links are automatically updated for any + missing or added issuers, but during OCSP this value is computed and then + discarded, potentially causing a performance penalty on each request. + During regular CA operations, it is not necessary to run this operation. +

+ It is suggested to run this tidy when removing or importing new issuers and + on the first upgrade to a post-1.11 Vault version, but otherwise not to run + it during automatic tidy operations. + - `tidy_expired_issuers` `(bool: false)` - Set to true to automatically remove expired issuers after the `issuer_safety_buffer` duration has elapsed. We log the issuer certificate on removal to allow recovery; no keys are removed