mirror of
https://github.com/hashicorp/vault.git
synced 2025-09-01 03:51:08 +02:00
327fd02d2f
* Add cn_validations PKI Role parameter This new parameter allows disabling all validations on a common name, enabled by default on sign-verbatim and issuer generation options. Presently, the default behavior is to allow either an email address (denoted with an @ in the name) or a hostname to pass validation. Operators can restrict roles to just a single option (e.g., for email certs, limit CNs to have strictly email addresses and not hostnames). By setting the value to `disabled`, CNs of other formats can be accepted without validating their contents against our minimal correctness checks for email/hostname/wildcard that we typically apply even when broad permissions (allow_any_name=true, enforce_hostnames=false, and allow_wildcard_certificates=true) are granted on the role. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Update PKI tests for cn_validation support Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add PKI API documentation on cn_validations Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add changelog Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>