scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-10-29 17:52:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

Document new PKI CMPv2 configuration field disabled_validations (#29707)

Browse Source 
* Document new PKI CMPv2 configuration field disabled_validations.
This commit is contained in:
Victor Rodriguez
2025-02-27 12:13:30 -05:00
committed by GitHub
parent a2d7e29870
commit b28ba3046f
2 changed files with 18 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
website/content/api-docs/secret/pki/issuance.mdx
View File

@@ -705,6 +705,7 @@ $ curl \
"data": {
"audit_fields": ["common_name", "alt_names", "ip_sans", "uri_sans"],
"default_path_policy": "role:example-role",
"disabled_validations": [],
"authenticators": {
"cert": {
"accessor": "auth_cert_7fe0c1cc",
@@ -750,6 +751,11 @@ updated values as a response along with an updated `last_updated` field.
`locality`, `province`, `street_address`, `postal_code`, `serial_number`, `use_pss`, `key_type`, `key_bits`,
`add_basic_constraints`
- `disabled_validations` `(list: [])` - Checks to skip during request validation. Possible values are
`DisableMatchingKeyIdValidation`, and 'DisableCertTimeValidation'. `DisableMatchingKeyIdValidation` disables
the check that sender key ID in the request header needs to match the subject public key ID in the signing
certificate. `DisableCertTimeValidation` disables the not before/not after verifications within the signing
certificate. Disabling any validation is highly discouraged.
#### Sample Payload
@@ -762,6 +768,7 @@ updated values as a response along with an updated `last_updated` field.
"cert_role": "cert1"
},
"default_path_policy": "sign-verbatim",
"disabled_validations": ["DisableMatchingKeyIdValidation"],
"audit_fields": ["common_name", "alt_names", "ip_sans", "uri_sans"],
"enable_sentinel_parsing": true
}
@@ -790,12 +797,10 @@ $ curl \
"cert_role": "cert1"
},
"default_path_policy": "sign-verbatim",
"disabled_validations": ["DisableMatchingKeyIdValidation"],
"enabled": true,
"enable_sentinel_parsing": true,
"last_updated": "2024-02-02T10:49:20-05:00"
}
}
```

3
website/content/docs/secrets/pki/cmpv2.mdx
View File

@@ -112,6 +112,7 @@ vault write pki/config/cmp -<<EOC
{
"enabled": true,
"default_path_policy": "role:example-role",
"disabled_validations": [],
"authenticators": {
"cert": {
"accessor": "auth_cert_4088ac2d"
@@ -141,5 +142,3 @@ Note that CMPv2 is not integrated with these existing Vault PKI features:
* Certificate Metadata - CMPv2 has no means of providing metadata.
* Certificate Issuance External Policy Service [(CIEPS)](/vault/docs/secrets/pki/cieps)