Add deprecation note about X.509/SHA-1 (#15581)

Add deprecation note about X.509/SHA-1

In preparation for moving to Go 1.18 in Vault 1.12.

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

changelog/15581.txt

@@ -0,0 +1,3 @@
+```release-note:deprecation
+docs: Document removal of X.509 certificates with signatures who use SHA-1 in Vault 1.12
+```

website/content/docs/deprecation/faq.mdx

@@ -35,3 +35,17 @@ These features were deprecated in prior releases of Vault. We are targeting the
 | Mount Filters         | [Path Filters](https://www.vaultproject.io/api-docs/system/replication/replication-performance#create-paths-filter) |
 | AppID                 | [AppRole auth method](/docs/auth/approle)                                                                           |
 | Standalone DB engines | [Combined DB engines](/docs/secrets/databases)                                                                      |
+
+### Q: What is the impact of removing support for X.509 certificates with signatures that use SHA-1?
+
+Starting with Vault 1.12.0, Vault will be built with Go 1.18.
+The Go 1.18 standard library [rejects X.509 certificates](https://tip.golang.org/doc/go1.18#sha1) whose signatures use a SHA-1 hash.
+
+If this issue impacts your usage of Vault, you can temporarily work around it by deploying Vault with the environment variable `GODEBUG=x509sha1=1` set.
+This workaround will fail in a future version of Go, however, the Go team has not said when they will remove this workaround.
+
+Here are the use cases that may still use certificates with SHA-1:
+
+- AWS Credential Plugin: [AWS](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html) can use SHA-1-based PKCS7 signatures for DSA key pairs.
+
+We will update this list as we do further research.

website/content/docs/deprecation/index.mdx

@@ -28,3 +28,4 @@ This announcement page is maintained and updated periodically to communicate imp
 | Feature Removal: AppID (OSS)                      | v0.6                     | N/A            | v1.11           | Use the alternative feature: [AppRole auth method](https://www.vaultproject.io/docs/auth/approle)                                                                                                                                                                                                                                                  | [AppID Auth Method Deprecation Notice](/docs/auth/app-id)                                                                                                                                                                                                        |
 | End of Support: AAD Graph on Azure Secrets Engine | v1.10                    | 1.11           | v1.12           | Microsoft will end its support of the [AAD Graph API on June 30, 2022](https://docs.microsoft.com/en-us/graph/migrate-azure-ad-graph-overview). Support for Microsoft Graph API was introduced in Vault 1.9. If your Vault deployment is on a prior release, you may use the Azure Secrets Engine as an external plugin while you plan to upgrade. | [AAD (Azure Active Directory](https://vault-git-post-1-10-doc-changes-hashicorp.vercel.app/docs/secrets/azure#aad-azure-active-directory)                                                                                                                        |
 | Feature Adjustment: Optional `api_token` parameter in Okta Auth Method  | v1.4                    | 1.11           | v1.12           | The `api_token` parameter on the Okta Auth Method will change from being optional to being required. | [API Documentation](https://www.vaultproject.io/api-docs/auth/okta#api_token) |
+| End of Support: X.509 Certificates with SHA-1 Signatures | v1.11             | v1.11          | v1.12           | Use updated third-party provider releases that support more secure hashing algorithms for X.509 certificates.|[FAQ](/docs/deprecation/faq#q-what-is-the-impact-of-removing-support-for-x-509-certificates-with-signatures-that-use-sha-1)|