From 573ea1a95d816102681cd93d143fbcc390768809 Mon Sep 17 00:00:00 2001 From: FFMMM Date: Thu, 4 Nov 2021 15:44:22 -0700 Subject: [PATCH] change vault ca docs to mention root cert ttl config (#11488) Signed-off-by: FFMMM --- website/content/docs/connect/ca/vault.mdx | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/website/content/docs/connect/ca/vault.mdx b/website/content/docs/connect/ca/vault.mdx index 6b96616b2..e562df62e 100644 --- a/website/content/docs/connect/ca/vault.mdx +++ b/website/content/docs/connect/ca/vault.mdx @@ -95,10 +95,13 @@ The configuration options are listed below. - `RootPKIPath` / `root_pki_path` (`string: `) - The path to a PKI secrets engine for the root certificate. If the path does not - exist, Consul will mount a new PKI secrets engine at the specified path with + exist, Consul will mount a new PKI secrets engine at the specified path with the + `RootCertTTL` value as the root certificate's TTL. If the `RootCertTTL` is not set, a [`max_lease_ttl`](https://www.vaultproject.io/api/system/mounts#max_lease_ttl) - of 8760 hours, or 1 year. This TTL value specifies the expiry period of the - root certificate and is currently not configurable. + of 87600 hours, or 10 years is applied by default as of Consul 1.11 and later. + + Prior to Consul 1.11, the root certificate TTL was set to 8760 hour, or 1 year, and + was not configurable. - `IntermediatePKIPath` / `intermediate_pki_path` (`string: `) - The path to a PKI secrets engine for the generated intermediate certificate.