Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add documentation for cert auth OCSP checking #18064

Merged
merged 2 commits into from
Apr 13, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 20 additions & 0 deletions website/content/api-docs/auth/cert.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,24 @@ Sets a CA cert and associated parameters in a role name.
will be added as metadata if they are present in the certificate. The
metadata key will be the string consisting of the oid numbers separated
by a dash (-) instead of a dot (.) to allow usage in ACL templates.
- `ocsp_enabled` `(bool: false)` - If enabled, validate certificates' revocation
status using OCSP.
- `ocsp_ca_certificates` `(string: "")` Any additional CA certificates needed to
verify OCSP responses. Provided as base64 encoded PEM data.
- `ocsp_servers_override` `(array: [])`: A comma-separated list of OCSP server
addresses. If unset, the OCSP server is determined from the AuthorityInformationAccess
extension on the certificate being inspected.
- `ocsp_fail_open` `(bool: false)` - If true and an OCSP response cannot be fetched
or is of an unknown status, the login will proceed as if the certificate has not
been revoked.
- `ocsp_query_all_servers` `(bool: false)` - If set to true, rather than accepting
the first successful OCSP response, query all servers and consider the certificate
valid only if all servers agree.
cipherboy marked this conversation as resolved.
Show resolved Hide resolved

~> **Note**: When using Vault's PKI engine with Performance Replication clusters
as the OCSP provider, and without `unified_crls=true` set on the source mount
or when using cluster-local OCSP resolvers, we recommend enabling this option.

- `display_name` `(string: "")` - The `display_name` to set on tokens issued
when authenticating against this CA certificate. If not set, defaults to the
name of the role.
Expand Down Expand Up @@ -336,6 +354,8 @@ Configuration options for the method.
- `enable_identity_alias_metadata` `(boolean: false)` - If set, metadata of
the certificate including the metadata corresponding to
`allowed_metadata_extensions` will be stored in the alias
- `ocsp_cache_size` `(int: 100)` - The size of the OCSP response LRU cache. Note
that this cache is used for all configured certificates.

### Sample Payload

Expand Down
12 changes: 9 additions & 3 deletions website/content/docs/auth/cert.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -57,9 +57,15 @@ mount of the method. The workaround here is to mount multiple copies of the
`cert` method, configure each with one CA/CRL, and have clients connect to the
appropriate mount.

In addition, since the method does not fetch the CRLs itself, the CRL's
designated time to next update is not considered. If a CRL is no longer in use,
it is up to the administrator to remove it from the method.
In addition, if a CRL distribution point is not set the method will not
fetch the CRLs itself, the CRL's designated time to next update is not
considered. If a CRL is no longer in use, it is up to the administrator to
remove it from the method.

In addition to automatic or manual CRL management, OCSP may be enabled for
a configured certificate, in which case Vault will query the OCSP server either
specified in the presented certificate or configured in the auth method to
check revocation.

## Authentication

Expand Down