scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-10-29 17:52:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

Document new PKI CMPv2 configuration field disabled_validations (#29707)

Browse Source 
* Document new PKI CMPv2 configuration field disabled_validations.
This commit is contained in:
Victor Rodriguez
2025-02-27 12:13:30 -05:00
committed by GitHub
parent a2d7e29870
commit b28ba3046f
2 changed files with 18 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
website/content/api-docs/secret/pki/issuance.mdx
View File

@@ -705,6 +705,7 @@ $ curl \
"data": { "data": {
"audit_fields": ["common_name", "alt_names", "ip_sans", "uri_sans"], "audit_fields": ["common_name", "alt_names", "ip_sans", "uri_sans"],
"default_path_policy": "role:example-role", "default_path_policy": "role:example-role",
"disabled_validations": [],
"authenticators": { "authenticators": {
"cert": { "cert": {
"accessor": "auth_cert_7fe0c1cc", "accessor": "auth_cert_7fe0c1cc",
@@ -750,6 +751,11 @@ updated values as a response along with an updated `last_updated` field.
`locality`, `province`, `street_address`, `postal_code`, `serial_number`, `use_pss`, `key_type`, `key_bits`, `locality`, `province`, `street_address`, `postal_code`, `serial_number`, `use_pss`, `key_type`, `key_bits`,
`add_basic_constraints` `add_basic_constraints`
- `disabled_validations` `(list: [])` - Checks to skip during request validation. Possible values are
`DisableMatchingKeyIdValidation`, and 'DisableCertTimeValidation'. `DisableMatchingKeyIdValidation` disables
the check that sender key ID in the request header needs to match the subject public key ID in the signing
certificate. `DisableCertTimeValidation` disables the not before/not after verifications within the signing
certificate. Disabling any validation is highly discouraged.
#### Sample Payload #### Sample Payload
@@ -762,6 +768,7 @@ updated values as a response along with an updated `last_updated` field.
"cert_role": "cert1" "cert_role": "cert1"
}, },
"default_path_policy": "sign-verbatim", "default_path_policy": "sign-verbatim",
"disabled_validations": ["DisableMatchingKeyIdValidation"],
"audit_fields": ["common_name", "alt_names", "ip_sans", "uri_sans"], "audit_fields": ["common_name", "alt_names", "ip_sans", "uri_sans"],
"enable_sentinel_parsing": true "enable_sentinel_parsing": true
} }
@@ -790,12 +797,10 @@ $ curl \
"cert_role": "cert1" "cert_role": "cert1"
}, },
"default_path_policy": "sign-verbatim", "default_path_policy": "sign-verbatim",
"disabled_validations": ["DisableMatchingKeyIdValidation"],
"enabled": true, "enabled": true,
"enable_sentinel_parsing": true, "enable_sentinel_parsing": true,
"last_updated": "2024-02-02T10:49:20-05:00" "last_updated": "2024-02-02T10:49:20-05:00"
} }
} }
``` ```

3
website/content/docs/secrets/pki/cmpv2.mdx
View File

@@ -112,6 +112,7 @@ vault write pki/config/cmp -<<EOC
{ {
"enabled": true, "enabled": true,
"default_path_policy": "role:example-role", "default_path_policy": "role:example-role",
"disabled_validations": [],
"authenticators": { "authenticators": {
"cert": { "cert": {
"accessor": "auth_cert_4088ac2d" "accessor": "auth_cert_4088ac2d"
@@ -141,5 +142,3 @@ Note that CMPv2 is not integrated with these existing Vault PKI features:
* Certificate Metadata - CMPv2 has no means of providing metadata. * Certificate Metadata - CMPv2 has no means of providing metadata.
* Certificate Issuance External Policy Service [(CIEPS)](/vault/docs/secrets/pki/cieps) * Certificate Issuance External Policy Service [(CIEPS)](/vault/docs/secrets/pki/cieps)