Add information about an enterprise feature related to validating iss… (#29300)

* Add information about an enterprise feature related to validating issued certificates to the PKI API docs. * Update website/content/api-docs/secret/pki/index.mdx Update RFC name and link, as suggested by Steve. Co-authored-by: Steven Clark <steven.clark@hashicorp.com> * Update website/content/api-docs/secret/pki/index.mdx Update RFC name and link, as suggested by Steve. Co-authored-by: Steven Clark <steven.clark@hashicorp.com> * Update website/content/api-docs/secret/pki/index.mdx Update RFC name and link, as suggested by Steve. Co-authored-by: Steven Clark <steven.clark@hashicorp.com> * Update website/content/api-docs/secret/pki/index.mdx Update RFC name and link, as suggested by Steve. Co-authored-by: Steven Clark <steven.clark@hashicorp.com> * Update enterprise tag to be on the same line for vercel reasons. --------- Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
2025-11-03 03:58:01 +00:00 · 2025-01-09 11:30:29 -05:00
parent 4f14f7bfec
commit 55ca52f3fd
1 changed files with 23 additions and 0 deletions
--- a/website/content/api-docs/secret/pki/index.mdx
+++ b/website/content/api-docs/secret/pki/index.mdx
@@ -2758,6 +2758,29 @@ do so, import a new issuer and a new `issuer_id` will be assigned.
 ~> **Note**: If no cluster-local address is present and templating is used,
   issuance will fail.

+- `disable_critical_extension_checks` `(bool: false)` <EnterpriseAlert inline="true"/> - This determines whether this issuer is able
+  to issue certificates where the chain of trust (including the issued
+  certificate) contain critical extensions not processed by vault, breaking the
+  behavior required by [RFC 5280 Section 6.1](https://www.rfc-editor.org/rfc/rfc5280#section-6.1).
+
+- `disable_path_length_checks` `(bool: false)` <EnterpriseAlert inline="true"/> - This determines whether this issuer is able
+  to issue certificates where the chain of trust (including the final issued
+  certificate) is longer than allowed by a certificate authority in that chain,
+  breaking the behavior required by
+ [RFC 5280 Section 4.2.1.9](https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.9).
+
+- `disable_name_checks` `(bool: false)` <EnterpriseAlert inline="true"/> - This determines whether this issuer is able
+  to issue certificates where the chain of trust (including the final issued
+  certificate) contains a link in which the subject of the issuing certificate
+  does not match the named issuer of the certificate it signed, breaking the
+  behavior required by [RFC 5280 Section 4.1.2.4](https://www.rfc-editor.org/rfc/rfc5280#section-4.1.2.4).
+
+- `disable_name_constraint_checks` `(bool: false)` <EnterpriseAlert inline="true"/> - This determines whether this issuer is able
+  to issue certificates where the chain of trust (including the final issued
+  certificate) violates the name constraints critical extension of one of the
+  issuer certificates in the chain, breaking the behavior required by
+  [RFC 5280 Section 4.2.1.10](https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.10).
+
 #### Sample payload

 ```json