Update PKI docs with key_usge info
This commit is contained in:
parent
4ef5e960b0
commit
07f53eebc2
|
@ -106,19 +106,6 @@ servers manually using the `config/urls` endpoint. It is supported to have more
|
||||||
than one of each of these by passing in the multiple URLs as a comma-separated
|
than one of each of these by passing in the multiple URLs as a comma-separated
|
||||||
string parameter.
|
string parameter.
|
||||||
|
|
||||||
### No OCSP support, yet
|
|
||||||
|
|
||||||
Vault's architecture does not currently allow for a binary protocol such as
|
|
||||||
OCSP to be supported by a backend. As such, you should configure your software
|
|
||||||
to use CRLs for revocation information, with a caching lifetime that feels good
|
|
||||||
to you. Since you are following the advice above about keeping lifetimes short
|
|
||||||
(right?), CRLs should not grow too large, however, you can configure alternate
|
|
||||||
CRL and/or OCSP servers using `config/urls` if you wish.
|
|
||||||
|
|
||||||
If you are using issued certificates for client authentication to Vault, note
|
|
||||||
that as of 0.4, the `cert` authentication endpoint supports being pushed CRLs,
|
|
||||||
but it cannot read CRLs directly from this backend.
|
|
||||||
|
|
||||||
### Safe Minimums
|
### Safe Minimums
|
||||||
|
|
||||||
Since its inception, this backend has enforced SHA256 for signature hashes
|
Since its inception, this backend has enforced SHA256 for signature hashes
|
||||||
|
@ -1142,6 +1129,16 @@ subpath for interactive help output.
|
||||||
`ec` keys. See https://golang.org/pkg/crypto/elliptic/#Curve
|
`ec` keys. See https://golang.org/pkg/crypto/elliptic/#Curve
|
||||||
for an overview of allowed bit lengths for `ec`.
|
for an overview of allowed bit lengths for `ec`.
|
||||||
</li>
|
</li>
|
||||||
|
<li>
|
||||||
|
<span class="param">key_usage</span>
|
||||||
|
<span class="param-flags">optional</span>
|
||||||
|
This sets the allowed key usage constraint on issued certificates. This
|
||||||
|
is a comma-separated string; valid values can be found at
|
||||||
|
https://golang.org/pkg/crypto/x509/#KeyUsage -- simply drop the
|
||||||
|
`KeyUsage` part of the value. Values are not case-sensitive. To specify
|
||||||
|
no key usage constraints, set this to an empty string. Defaults to
|
||||||
|
`DigitalSignature,KeyAgreement,KeyEncipherment`.
|
||||||
|
</li>
|
||||||
<li>
|
<li>
|
||||||
<span class="param">use_csr_common_name</span>
|
<span class="param">use_csr_common_name</span>
|
||||||
<span class="param-flags">optional</span>
|
<span class="param-flags">optional</span>
|
||||||
|
|
Loading…
Reference in a new issue