luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

backport of commit d7e4447ec054ad9b8ce2dbdad6111f1587b325f8 (#23318) 

Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
This commit is contained in:
hc-github-team-secure-vault-core 2023-09-27 13:31:57 -04:00 committed by GitHub
parent b7dca10a06
commit 4ccb3281f0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 64 additions and 58 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
website/content/docs/commands/pki/health-check.mdx
View File

@ -171,6 +171,7 @@ Use `vault write` to enable CRL auto-rebuild:
```shell-session
$ vault write <mount>/config/crl auto_rebuild=true
```
### Hardware-Backed root certificate
@ -314,7 +315,7 @@ This health check checks whether audit information is accessible to log consumer
Use `vault secrets tune` to set the desired audit parameters:
```shell-session
vault secrets tune \
$ vault secrets tune \
-audit-non-hmac-response-keys=certificate \
-audit-non-hmac-response-keys=issuing_ca \
-audit-non-hmac-response-keys=serial_number \
@ -379,22 +380,25 @@ This health check verifies if the `If-Modified-Since` header has been added to `
1. Update `allowed_response_headers` and `passthrough_request_headers` for all
policies with `vault secrets tune`:
```shell-session
vault secrets tune \
```shell-session
$ vault secrets tune \
-passthrough-request-headers="If-Modified-Since" \
-allowed-response-headers="Last-Modified" \
<mount>
```
```
1. Update ACME-specific headers with `vault secrets tune` (if you are using ACME):
```shell-session
vault secrets tune \
```shell-session
$ vault secrets tune \
-passthrough-request-headers="If-Modified-Since" \
-allowed-response-headers="Last-Modified" \
-allowed-response-headers="Replay-Nonce" \
-allowed-response-headers="Link" \
-allowed-response-headers="Location" \
<mount>
```
```
### Auto-Tidy disabled
@ -418,14 +422,14 @@ This health check verifies that auto-tidy is enabled, with sane defaults for int
Use `vault write` to enable auto-tidy with the recommended defaults:
```shell-session
vault write <mount>/config/auto-tidy \
enabled=true \
tidy_cert_store=true \
tidy_revoked_certs=true \
tidy_acme=true \
tidy_revocation_queue=true \
tidy_cross_cluster_revoked_certs=true \
tidy_revoked_cert_issuer_associations=true
$ vault write <mount>/config/auto-tidy \
enabled=true \
tidy_cert_store=true \
tidy_revoked_certs=true \
tidy_acme=true \
tidy_revocation_queue=true \
tidy_cross_cluster_revoked_certs=true \
tidy_revoked_cert_issuer_associations=true
```
### Tidy hasn't run
@ -446,15 +450,17 @@ This health check verifies that tidy has run within the last run window. This ca
**Remediation steps**:
1. Schedule a manual run of tidy with `vault write`:
```shell-session
vault write <mount>/tidy \
```shell-session
$ vault write <mount>/tidy \
tidy_cert_store=true \
tidy_revoked_certs=true \
tidy_acme=true \
tidy_revocation_queue=true \
tidy_cross_cluster_revoked_certs=true \
tidy_revoked_cert_issuer_associations=true
```
```
1. Review the tidy status endpoint, `vault read <mount>/tidy-status` for
additional information.
1. Re-configure auto-tidy based on the log information and results of your
@ -481,18 +487,18 @@ This health check verifies that this cluster has a reasonable number of certific
1. Verify that tidy ran recently with `vault read`:
```shell-session
vault read <mount>/tidy-status
$ vault read <mount>/tidy-status
````
1. Schedule a manual run of tidy with `vault write`:
```shell-session
vault write <mount>/tidy \
tidy_cert_store=true \
tidy_revoked_certs=true \
tidy_acme=true \
tidy_revocation_queue=true \
tidy_cross_cluster_revoked_certs=true \
tidy_revoked_cert_issuer_associations=true
```
```shell-session
$ vault write <mount>/tidy \
tidy_cert_store=true \
tidy_revoked_certs=true \
tidy_acme=true \
tidy_revocation_queue=true \
tidy_cross_cluster_revoked_certs=true \
tidy_revoked_cert_issuer_associations=true
```
1. Enable `auto-tidy`.
1. Make sure that you are not renewing certificates too soon. Certificate
lifetimes should reflect the expected usage of the certificate. If the TTL is
@ -534,7 +540,7 @@ This health check verifies if the `"Replay-Nonce`, `Link`, and `Location` header
Use `vault secrets tune` to add the missing headers to `allowed_response_headers`:
```shell-session
vault secrets tune \
$ vault secrets tune \
-allowed-response-headers="Last-Modified" \
-allowed-response-headers="Replay-Nonce" \
-allowed-response-headers="Link" \

58
website/data/docs-nav-data.json
View File

@ -628,35 +628,6 @@
}
]
},
{
"title": "<code>pki</code>",
"routes": [
{
"title": "Overview",
"path": "commands/pki"
},
{
"title": "<code>health-check</code>",
"path": "commands/pki/health-check"
},
{
"title": "<code>verify-sign</code>",
"path": "commands/pki/verify-sign"
},
{
"title": "<code>list-intermediates</code>",
"path": "commands/pki/list-intermediates"
},
{
"title": "<code>issue</code>",
"path": "commands/pki/issue"
},
{
"title": "<code>reissue</code>",
"path": "commands/pki/reissue"
}
]
},
{
"title": "<code>lease</code>",
"routes": [
@ -780,6 +751,35 @@
"title": "<code>path-help</code>",
"path": "commands/path-help"
},
{
"title": "<code>pki</code>",
"routes": [
{
"title": "Overview",
"path": "commands/pki"
},
{
"title": "<code>health-check</code>",
"path": "commands/pki/health-check"
},
{
"title": "<code>verify-sign</code>",
"path": "commands/pki/verify-sign"
},
{
"title": "<code>list-intermediates</code>",
"path": "commands/pki/list-intermediates"
},
{
"title": "<code>issue</code>",
"path": "commands/pki/issue"
},
{
"title": "<code>reissue</code>",
"path": "commands/pki/reissue"
}
]
},
{
"title": "<code>plugin</code>",
"routes": [