mirror of
https://github.com/hashicorp/vault.git
synced 2025-08-17 03:57:01 +02:00
f48c70a449
* VAULT-15546 First pass at Vault Proxy docs * VAULT-15546 correct errors * VAULT-15546 fully qualify paths * VAULT-15546 remove index * VAULT-15546 Some typos and clean up * VAULT-15546 fix link * VAULT-15546 Add redirects so old links stay working * VAULT-15546 more explicit redirects * VAULT-15546 typo fixes * Suggestions for Vault Agent & Vault Proxy docs (#20612) * Rename 'agentandproxy' to 'agent-and-proxy' for better URL * Update the index pages for each section * VAULT-15546 fix link typo --------- Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>
36 lines
1.7 KiB
Plaintext
36 lines
1.7 KiB
Plaintext
---
|
|
layout: docs
|
|
page_title: Vault Auto-Auth Cert Method
|
|
description: Cert Method for Vault Auto-Auth
|
|
---
|
|
|
|
# Vault Auto-Auth Cert Method
|
|
|
|
The `cert` method uses the configured TLS certificates from the `vault` stanza of
|
|
the agent configuration and takes an optional `name` parameter. There is no option
|
|
to use certificates which differ from those used in the `vault` stanza.
|
|
|
|
It is strongly advised to provide TLS settings in the configuration stanza
|
|
within the auth method to avoid agent cache, if also enabled, from using the
|
|
same TLS settings when proxying requests. If TLS settings are not present in the
|
|
config stanza, Agent and Proxy will fall back to using TLS settings from their respective
|
|
[`vault` Stanzas](/vault/docs/agent#vault-stanza).
|
|
|
|
## Configuration
|
|
|
|
- `name` `(string: optional)` - The trusted certificate role which should be used
|
|
when authenticating with TLS. If a `name` is not specified, the auth method will
|
|
try to authenticate against [all trusted certificates](/vault/docs/auth/cert#authentication).
|
|
|
|
- `ca_cert` `(string: optional)` - Path on the local disk to a single
|
|
PEM-encoded CA certificate to verify the Vault server's SSL certificate.
|
|
|
|
- `client_cert` `(string: optional)` - Path on the local disk to a single
|
|
PEM-encoded client certificate to use for cert auth method authentication.
|
|
|
|
- `client_key` `(string: optional)` - Path on the local disk to a single
|
|
PEM-encoded private key matching the client certificate from client_cert.
|
|
|
|
- `reload` `(bool: optional, default: false)` - If true, causes the local x509 key-pair to be reloaded from disk on each authentication attempt.
|
|
This is useful in situations where client certificates are short-lived and automatically renewed.
|