From cd65bbabb0811d3d07b9d8d0a0bb71997c20fb84 Mon Sep 17 00:00:00 2001
From: Armon Dadgar <armon.dadgar@gmail.com>
Date: Fri, 24 Apr 2015 10:52:25 -0700
Subject: [PATCH] website: document cert backend

---
 website/source/docs/auth/cert.html.md | 40 +++++++++++++++++++++++++++
 website/source/layouts/docs.erb       |  4 +++
 2 files changed, 44 insertions(+)
 create mode 100644 website/source/docs/auth/cert.html.md

diff --git a/website/source/docs/auth/cert.html.md b/website/source/docs/auth/cert.html.md
new file mode 100644
index 0000000000..1584b89df8
--- /dev/null
+++ b/website/source/docs/auth/cert.html.md
@@ -0,0 +1,40 @@
+---
+layout: "docs"
+page_title: "Auth Backend: TLS Certificates"
+sidebar_current: "docs-auth-cert"
+description: |-
+  The "cert" auth backend allows users to authenticate with Vault using TLS client certificates.
+---
+
+# Auth Backend: TLS Certificates
+
+Name: `cert`
+
+The "cert" auth backend allows authentication using SSL/TLS client certificates
+which are either signed by a CA or self-signed.
+
+The trusted certificates and CAs are configured directly to the auth
+backend using the `certs/` path. This backend cannot read trusted certificates
+from an external source.
+
+## Authentication
+
+The endpoint for the login is `/login`. The client simply connects with their TLS
+certificate and when the login endpoint is hit, the auth backend will determine
+if there is a matching trusted certificate to authenticate the client.
+
+## Configuration
+
+To use the "cert" auth backend, an operator must configure it with
+trusted certificates that are allowed to authenticate. An example is shown below.
+Use `vault help` for more details.
+
+```
+$ vault write auth/cert/certs/web display_name=web policies=web,prod certificate=@web-cert.pem
+...
+```
+
+The above creates a new trusted certificate "web" with same display name
+and the "web" and "prod" policies. The certificate (public key) used to verify
+clients is given by the "web-cert.pem" file.
+
diff --git a/website/source/layouts/docs.erb b/website/source/layouts/docs.erb
index 03cf744465..00f7316329 100644
--- a/website/source/layouts/docs.erb
+++ b/website/source/layouts/docs.erb
@@ -137,6 +137,10 @@
 
 						<li<%= sidebar_current("docs-auth-userpass") %>>
 							<a href="/docs/auth/userpass.html">Username &amp; Password</a>
+                        </li>
+
+						<li<%= sidebar_current("docs-auth-cert") %>>
+							<a href="/docs/auth/cert.html">TLS Certificates</a>
 						</li>
 					</ul>
 				</li>