From 55ca52f3fdc8a9b7af20b70c14bb2ca99734220c Mon Sep 17 00:00:00 2001 From: Kit Haines Date: Thu, 9 Jan 2025 11:30:29 -0500 Subject: [PATCH] =?UTF-8?q?Add=20information=20about=20an=20enterprise=20f?= =?UTF-8?q?eature=20related=20to=20validating=20iss=E2=80=A6=20(#29300)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Add information about an enterprise feature related to validating issued certificates to the PKI API docs. * Update website/content/api-docs/secret/pki/index.mdx Update RFC name and link, as suggested by Steve. Co-authored-by: Steven Clark * Update website/content/api-docs/secret/pki/index.mdx Update RFC name and link, as suggested by Steve. Co-authored-by: Steven Clark * Update website/content/api-docs/secret/pki/index.mdx Update RFC name and link, as suggested by Steve. Co-authored-by: Steven Clark * Update website/content/api-docs/secret/pki/index.mdx Update RFC name and link, as suggested by Steve. Co-authored-by: Steven Clark * Update enterprise tag to be on the same line for vercel reasons. --------- Co-authored-by: Steven Clark --- website/content/api-docs/secret/pki/index.mdx | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/website/content/api-docs/secret/pki/index.mdx b/website/content/api-docs/secret/pki/index.mdx index abe7c34af2..889438116e 100644 --- a/website/content/api-docs/secret/pki/index.mdx +++ b/website/content/api-docs/secret/pki/index.mdx @@ -2758,6 +2758,29 @@ do so, import a new issuer and a new `issuer_id` will be assigned. ~> **Note**: If no cluster-local address is present and templating is used, issuance will fail. +- `disable_critical_extension_checks` `(bool: false)` - This determines whether this issuer is able + to issue certificates where the chain of trust (including the issued + certificate) contain critical extensions not processed by vault, breaking the + behavior required by [RFC 5280 Section 6.1](https://www.rfc-editor.org/rfc/rfc5280#section-6.1). + +- `disable_path_length_checks` `(bool: false)` - This determines whether this issuer is able + to issue certificates where the chain of trust (including the final issued + certificate) is longer than allowed by a certificate authority in that chain, + breaking the behavior required by + [RFC 5280 Section 4.2.1.9](https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.9). + +- `disable_name_checks` `(bool: false)` - This determines whether this issuer is able + to issue certificates where the chain of trust (including the final issued + certificate) contains a link in which the subject of the issuing certificate + does not match the named issuer of the certificate it signed, breaking the + behavior required by [RFC 5280 Section 4.1.2.4](https://www.rfc-editor.org/rfc/rfc5280#section-4.1.2.4). + +- `disable_name_constraint_checks` `(bool: false)` - This determines whether this issuer is able + to issue certificates where the chain of trust (including the final issued + certificate) violates the name constraints critical extension of one of the + issuer certificates in the chain, breaking the behavior required by + [RFC 5280 Section 4.2.1.10](https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.10). + #### Sample payload ```json