From 58f770c4abd48590e85e42af09daeb0803c8f633 Mon Sep 17 00:00:00 2001 From: Scott Miller Date: Thu, 13 Apr 2023 18:33:21 +0000 Subject: [PATCH] backport of commit fc21d357ff333399f7ee613e5f5e29c5f6acbdd4 --- website/content/api-docs/auth/cert.mdx | 20 ++++++++++++++++++++ website/content/docs/auth/cert.mdx | 12 +++++++++--- 2 files changed, 29 insertions(+), 3 deletions(-) diff --git a/website/content/api-docs/auth/cert.mdx b/website/content/api-docs/auth/cert.mdx index 2151fc87f095..82a72596cc3e 100644 --- a/website/content/api-docs/auth/cert.mdx +++ b/website/content/api-docs/auth/cert.mdx @@ -66,6 +66,24 @@ Sets a CA cert and associated parameters in a role name. will be added as metadata if they are present in the certificate. The metadata key will be the string consisting of the oid numbers separated by a dash (-) instead of a dot (.) to allow usage in ACL templates. +- `ocsp_enabled` `(bool: false)` - If enabled, validate certificates' revocation + status using OCSP. +- `ocsp_ca_certificates` `(string: "")` Any additional CA certificates needed to + verify OCSP responses. Provided as base64 encoded PEM data. +- `ocsp_servers_override` `(array: [])`: A comma-separated list of OCSP server + addresses. If unset, the OCSP server is determined from the AuthorityInformationAccess + extension on the certificate being inspected. +- `ocsp_fail_open` `(bool: false)` - If true and an OCSP response cannot be fetched + or is of an unknown status, the login will proceed as if the certificate has not + been revoked. +- `ocsp_query_all_servers` `(bool: false)` - If set to true, rather than accepting + the first successful OCSP response, query all servers and consider the certificate + valid only if all servers agree. + + ~> **Note**: When using Vault's PKI engine with Performance Replication clusters + as the OCSP provider, and without `unified_crls=true` set on the source mount + or when using cluster-local OCSP resolvers, we recommend enabling this option. + - `display_name` `(string: "")` - The `display_name` to set on tokens issued when authenticating against this CA certificate. If not set, defaults to the name of the role. @@ -336,6 +354,8 @@ Configuration options for the method. - `enable_identity_alias_metadata` `(boolean: false)` - If set, metadata of the certificate including the metadata corresponding to `allowed_metadata_extensions` will be stored in the alias +- `ocsp_cache_size` `(int: 100)` - The size of the OCSP response LRU cache. Note + that this cache is used for all configured certificates. ### Sample Payload diff --git a/website/content/docs/auth/cert.mdx b/website/content/docs/auth/cert.mdx index d63a50da3613..b1f481c85241 100644 --- a/website/content/docs/auth/cert.mdx +++ b/website/content/docs/auth/cert.mdx @@ -57,9 +57,15 @@ mount of the method. The workaround here is to mount multiple copies of the `cert` method, configure each with one CA/CRL, and have clients connect to the appropriate mount. -In addition, since the method does not fetch the CRLs itself, the CRL's -designated time to next update is not considered. If a CRL is no longer in use, -it is up to the administrator to remove it from the method. +In addition, if a CRL distribution point is not set the method will not +fetch the CRLs itself, the CRL's designated time to next update is not +considered. If a CRL is no longer in use, it is up to the administrator to +remove it from the method. + +In addition to automatic or manual CRL management, OCSP may be enabled for +a configured certificate, in which case Vault will query the OCSP server either +specified in the presented certificate or configured in the auth method to +check revocation. ## Authentication