Add note about X.509 SHA-1 deprecation to relevant plugins (#15672)

Add note about X.509 SHA-1 deprecation to relevant plugins

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

website/content/api-docs/auth/aws.mdx

@@ -6,6 +6,8 @@ description: This is the API documentation for the Vault AWS auth method.
 
 # AWS Auth Method (API)
 
+@include 'x509-sha1-deprecation.mdx'
+
 This is the API documentation for the Vault AWS auth method. For
 general information about the usage and operation of the AWS method, please
 see the [Vault AWS method documentation](/docs/auth/aws).

website/content/api-docs/auth/cert.mdx

@@ -8,6 +8,8 @@ description: |-
 
 # TLS Certificate Auth Method (API)
 
+@include 'x509-sha1-deprecation.mdx'
+
 This is the API documentation for the Vault TLS Certificate authentication
 method. For general information about the usage and operation of the TLS
 Certificate method, please see the [Vault TLS Certificate method documentation](/docs/auth/cert).

website/content/api-docs/auth/cf.mdx

@@ -6,6 +6,8 @@ description: This is the API documentation for the Vault Cloud Foundry auth meth
 
 # Pivotal Cloud Foundry (CF) Auth Method (API)
 
+@include 'x509-sha1-deprecation.mdx'
+
 This is the API documentation for the Vault CF auth method. For
 general information about the usage and operation of the CF method, please
 see the [Vault CF method documentation](/docs/auth/cf).

website/content/api-docs/auth/jwt.mdx

@@ -8,6 +8,8 @@ description: |-
 
 # JWT/OIDC Auth Method (API)
 
+@include 'x509-sha1-deprecation.mdx'
+
 This is the API documentation for the Vault JWT/OIDC auth method
 plugin. To learn more about the usage and operation, see the
 [Vault JWT/OIDC method documentation](/docs/auth/jwt).

website/content/api-docs/auth/kerberos.mdx

@@ -6,6 +6,8 @@ description: This is the API documentation for the Vault Kerberos auth method pl
 
 # Kerberos Auth Method (API)
 
+@include 'x509-sha1-deprecation.mdx'
+
 This is the API documentation for the Vault Kerberos auth method plugin. To
 learn more about the usage and operation, see the
 [Vault Kerberos auth method](/docs/auth/kerberos).

website/content/api-docs/auth/kubernetes.mdx

@@ -6,6 +6,8 @@ description: This is the API documentation for the Vault Kubernetes auth method
 
 # Kubernetes Auth Method (API)
 
+@include 'x509-sha1-deprecation.mdx'
+
 This is the API documentation for the Vault Kubernetes auth method plugin. To
 learn more about the usage and operation, see the
 [Vault Kubernetes auth method](/docs/auth/kubernetes).

website/content/api-docs/auth/ldap.mdx

@@ -6,6 +6,8 @@ description: This is the API documentation for the Vault LDAP auth method.
 
 # LDAP Auth Method (API)
 
+@include 'x509-sha1-deprecation.mdx'
+
 This is the API documentation for the Vault LDAP auth method. For
 general information about the usage and operation of the LDAP method, please
 see the [Vault LDAP method documentation](/docs/auth/ldap).

website/content/api-docs/secret/ad.mdx

@@ -6,6 +6,8 @@ description: This is the API documentation for the Vault Active Directory secret
 
 # Active Directory Secrets Engine (API)
 
+@include 'x509-sha1-deprecation.mdx'
+
 This is the API documentation for the Vault AD secrets engine. For general
 information about the usage and operation of the AD secrets engine, please see
 the [Vault Active Directory documentation](/docs/secrets/ad).

website/content/api-docs/secret/cassandra.mdx

@@ -6,6 +6,8 @@ description: This is the API documentation for the Vault Cassandra secrets engin
 
 # Cassandra Secrets Engine (API)
 
+@include 'x509-sha1-deprecation.mdx'
+
 ~> **Deprecation Note:** This backend is deprecated in favor of the
 combined databases backend added in v0.7.1. See the API documentation for
 the new implementation of this backend at

website/content/api-docs/secret/consul.mdx

@@ -6,6 +6,8 @@ description: This is the API documentation for the Vault Consul secrets engine.
 
 # Consul Secrets Engine (API)
 
+@include 'x509-sha1-deprecation.mdx'
+
 This is the API documentation for the Vault Consul secrets engine. For general
 information about the usage and operation of the Consul secrets engine, please
 see the [Vault Consul documentation](/docs/secrets/consul).

website/content/api-docs/secret/databases/cassandra.mdx

@@ -8,6 +8,8 @@ description: >-
 
 # Cassandra Database Plugin HTTP API
 
+@include 'x509-sha1-deprecation.mdx'
+
 The Cassandra database plugin is one of the supported plugins for the database
 secrets engine. This plugin generates database credentials dynamically based on
 configured roles for the Cassandra database.

website/content/api-docs/secret/databases/couchbase.mdx

@@ -8,6 +8,8 @@ description: >-
 
 # Couchbase Database Plugin HTTP API
 
+@include 'x509-sha1-deprecation.mdx'
+
 The Couchbase database plugin is one of the supported plugins for the database
 secrets engine. This plugin generates database credentials dynamically based on
 configured roles for the Couchbase database.

website/content/api-docs/secret/databases/elasticdb.mdx

@@ -8,6 +8,8 @@ description: >-
 
 # Elasticsearch Database Plugin HTTP API
 
+@include 'x509-sha1-deprecation.mdx'
+
 The Elasticsearch database plugin is one of the supported plugins for the database
 secrets engine. This plugin generates credentials dynamically based on
 configured roles for Elasticsearch.

website/content/api-docs/secret/databases/influxdb.mdx

@@ -8,6 +8,8 @@ description: >-
 
 # Influxdb Database Plugin HTTP API
 
+@include 'x509-sha1-deprecation.mdx'
+
 The Influxdb database plugin is one of the supported plugins for the database
 secrets engine. This plugin generates database credentials dynamically based on
 configured roles for the Influxdb database.

website/content/api-docs/secret/databases/mongodb.mdx

@@ -8,6 +8,8 @@ description: >-
 
 # MongoDB Database Plugin HTTP API
 
+@include 'x509-sha1-deprecation.mdx'
+
 The MongoDB database plugin is one of the supported plugins for the database
 secrets engine. This plugin generates database credentials dynamically based on
 configured roles for the MongoDB database.

website/content/api-docs/secret/databases/mysql-maria.mdx

@@ -8,6 +8,8 @@ description: >-
 
 # MySQL/MariaDB Database Plugin HTTP API
 
+@include 'x509-sha1-deprecation.mdx'
+
 The MySQL database plugin is one of the supported plugins for the database
 secrets engine. This plugin generates database credentials dynamically based on
 configured roles for the MySQL database.

website/content/api-docs/secret/kmip.mdx

@@ -6,6 +6,8 @@ description: This is the API documentation for the Vault KMIP secrets engine.
 
 # KMIP Secrets Engine (API)
 
+@include 'x509-sha1-deprecation.mdx'
+
 This is the API documentation for the Vault KMIP secrets engine. For general
 information about the usage and operation of
 the KMIP secrets engine, please see [these docs](/docs/secrets/kmip).

website/content/api-docs/secret/kubernetes.mdx

@@ -6,6 +6,8 @@ description: This is the API documentation for the Vault Kubernetes secrets engi
 
 # Kubernetes Secrets Engine (API)
 
+@include 'x509-sha1-deprecation.mdx'
+
 This is the API documentation for the Vault Kubernetes secrets engine. To
 learn more about the usage and operation, see the
 [Kubernetes secrets engine documentation](/docs/secrets/kubernetes).

website/content/api-docs/secret/nomad.mdx

@@ -6,6 +6,8 @@ description: This is the API documentation for the Vault Nomad secret backend.
 
 # Nomad Secret Backend HTTP API
 
+@include 'x509-sha1-deprecation.mdx'
+
 This is the API documentation for the Vault Nomad secret backend. For general
 information about the usage and operation of the Nomad backend, please see the
 [Vault Nomad backend documentation](/docs/secrets/nomad).

website/content/api-docs/secret/openldap.mdx

@@ -6,6 +6,8 @@ description: This is the API documentation for the Vault OpenLDAP secrets engine
 
 # OpenLDAP Secrets Engine (API)
 
+@include 'x509-sha1-deprecation.mdx'
+
 This is the API documentation for the Vault OpenLDAP secrets engine. For general
 information about the usage and operation of the OpenLDAP secrets engine,
 please see [these docs](/docs/secrets/openldap).

website/content/api-docs/secret/pki.mdx

@@ -6,6 +6,8 @@ description: This is the API documentation for the Vault PKI secrets engine.
 
 # PKI Secrets Engine (API)
 
+@include 'x509-sha1-deprecation.mdx'
+
 This is the API documentation for the Vault PKI secrets engine. For general
 information about the usage and operation of the PKI secrets engine, please see
 the [PKI documentation](/docs/secrets/pki).

website/content/docs/auth/aws.mdx

@@ -6,6 +6,8 @@ description: The aws auth method allows automated authentication of AWS entities
 
 # AWS Auth Method
 
+@include 'x509-sha1-deprecation.mdx'
+
 The `aws` auth method provides an automated mechanism to retrieve a Vault token
 for IAM principals and AWS EC2 instances. Unlike most Vault auth methods, this
 method does not require manual first-deploying, or provisioning

website/content/docs/auth/cert.mdx

@@ -8,6 +8,8 @@ description: >-
 
 # TLS Certificates Auth Method
 
+@include 'x509-sha1-deprecation.mdx'
+
 The `cert` auth method allows authentication using SSL/TLS client certificates
 which are either signed by a CA or self-signed.
 

website/content/docs/auth/cf.mdx

@@ -6,6 +6,8 @@ description: The cf auth method allows automated authentication of Cloud Foundry
 
 # Cloud Foundry (CF) Auth Method
 
+@include 'x509-sha1-deprecation.mdx'
+
 The `cf` auth method provides an automated mechanism to retrieve a Vault token
 for CF instances. It leverages CF's [App and Container Identity Assurance](https://content.pivotal.io/blog/new-in-pcf-2-1-app-container-identity-assurance-via-automatic-cert-rotation).
 At a high level, this works as follows:

website/content/docs/auth/jwt/index.mdx

@@ -8,6 +8,8 @@ description: >-
 
 # JWT/OIDC Auth Method
 
+@include 'x509-sha1-deprecation.mdx'
+
 The `jwt` auth method can be used to authenticate with Vault using
 [OIDC](https://en.wikipedia.org/wiki/OpenID_Connect) or by providing a
 [JWT](https://en.wikipedia.org/wiki/JSON_Web_Token).

website/content/docs/auth/kerberos.mdx

@@ -6,6 +6,8 @@ description: The Kerberos auth method allows automated authentication of Kerbero
 
 # Kerberos Auth Method
 
+@include 'x509-sha1-deprecation.mdx'
+
 The `kerberos` auth method provides an automated mechanism to retrieve
 a Vault token for Kerberos entities.
 

website/content/docs/auth/kubernetes.mdx

@@ -8,6 +8,8 @@ description: |-
 
 # Kubernetes Auth Method
 
+@include 'x509-sha1-deprecation.mdx'
+
 The `kubernetes` auth method can be used to authenticate with Vault using a
 Kubernetes Service Account Token. This method of authentication makes it easy to
 introduce a Vault token into a Kubernetes Pod.

website/content/docs/auth/ldap.mdx

@@ -8,6 +8,8 @@ description: |-
 
 # LDAP Auth Method
 
+@include 'x509-sha1-deprecation.mdx'
+
 The `ldap` auth method allows authentication using an existing LDAP
 server and user/password credentials. This allows Vault to be integrated
 into environments using LDAP without duplicating the user/pass configuration

website/content/docs/deprecation/faq.mdx

@@ -13,6 +13,7 @@ This page provides frequently asked questions concerning decisions made about Va
 - [Q: What is the impact on anyone using the legacy MFA feature?](#q-what-is-the-impact-on-anyone-using-the-legacy-mfa-feature)
 - [Q: I'm currently using the Etcd storage backend feature. How does the deprecation impact me?](#q-i-m-currently-using-the-etcd-storage-backend-feature-how-does-the-deprecation-impact-me)
 - [Q: What should I do if I use Mount Filters, AppID, or any of the standalone DB engines?](#q-what-should-i-do-if-i-use-mount-filters-appid-or-any-of-the-standalone-db-engines)
+- [Q: What is the impact of removing support for X.509 certificates with signatures that use SHA-1?](#q-what-is-the-impact-of-removing-support-for-x-509-certificates-with-signatures-that-use-sha-1)
 
 ### Q: What is the impact on anyone using the legacy MFA feature?
 
@@ -39,13 +40,48 @@ These features were deprecated in prior releases of Vault. We are targeting the
 ### Q: What is the impact of removing support for X.509 certificates with signatures that use SHA-1?
 
 Starting with Vault 1.12.0, Vault will be built with Go 1.18.
-The Go 1.18 standard library [rejects X.509 certificates](https://tip.golang.org/doc/go1.18#sha1) whose signatures use a SHA-1 hash.
+The Go 1.18 standard library X.509 signature validation [rejects signatures](https://go.dev/doc/go1.18#sha1) that use a SHA-1 hash.
 
 If this issue impacts your usage of Vault, you can temporarily work around it by deploying Vault with the environment variable `GODEBUG=x509sha1=1` set.
 This workaround will fail in a future version of Go, however, the Go team has not said when they will remove this workaround.
 
+If you want to check whether a certificate or CA contains a problematic signature, you can use the OpenSSL CLI:
+
+```shell-session
+$ openssl x509 -text -noout -in somecert.pem | grep sha1
+
+    Signature Algorithm: sha1WithRSAEncryption
+    Signature Algorithm: sha1WithRSAEncryption
+```
+
+Any signature algorithms that contain `sha1` will be potentially problematic.
+
 Here are the use cases that may still use certificates with SHA-1:
 
-- AWS Credential Plugin: [AWS](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html) can use SHA-1-based PKCS7 signatures for DSA key pairs.
+#### Auth Methods
 
-We will update this list as we do further research.
+- [AWS Auth Method](/docs/auth/aws): [AWS](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html) can use SHA-1-based PKCS7 signatures for DSA key pairs.
+- [Cloud Foundry (CF) Auth Method ](/docs/auth/cf)
+- [Kerberos Auth Method](/docs/auth/kerberos)
+- [Kubernetes Auth Method](/docs/auth/kubernetes)
+- [LDAP Auth Method](/docs/auth/ldap)
+- [JWT/OIDC Auth Method](/docs/auth/jwt/)
+- [TLS Certificates Auth Method](/docs/auth/cert)
+
+#### Database Secrets Engines
+
+- [Cassandra Database Secrets Engine](/docs/secrets/databases/cassandra)
+- [Couchbase Database Secrets Engine](/docs/secrets/databases/couchbase)
+- [Elasticsearch Database Secrets Engine](/docs/secrets/databases/elasticdb)
+- [InfluxDB Database Secrets Engine](/docs/secrets/databases/influxdb)
+- [MongoDB Database Secrets Engine](/docs/secrets/databases/mongodb)
+- [MySQL/MariaDB Database Secrets Engine](/docs/secrets/databases/mysql-maria)
+
+#### Secrets Engines
+
+- [Active Directory Secrets Engine](/docs/secrets/ad)
+- [Consul Secrets Engine](/docs/secrets/consul)
+- [Kubernetes Secrets Engine](/docs/secrets/kubernetes)
+- [Nomad Secrets Engine](/docs/secrets/nomad)
+- [OpenLDAP Secrets Engine](/docs/secrets/openldap)
+- [PKI Secrets Engine](/docs/secrets/pki/)

website/content/docs/secrets/ad.mdx

@@ -7,6 +7,8 @@ description: >-
 
 # Active Directory Secrets Engine
 
+@include 'x509-sha1-deprecation.mdx'
+
 The Active Directory (AD) secrets engine is a plugin residing [here](https://github.com/hashicorp/vault-plugin-secrets-active-directory).
 It has two main features.
 

website/content/docs/secrets/consul.mdx

@@ -6,6 +6,8 @@ description: The Consul secrets engine for Vault generates tokens for Consul dyn
 
 # Consul Secrets Engine
 
+@include 'x509-sha1-deprecation.mdx'
+
 The Consul secrets engine generates [Consul](https://www.consul.io) API tokens
 dynamically based on Consul ACL policies.
 

website/content/docs/secrets/databases/cassandra.mdx

@@ -9,6 +9,8 @@ description: |-
 
 # Cassandra Database Secrets Engine
 
+@include 'x509-sha1-deprecation.mdx'
+
 Cassandra is one of the supported plugins for the database secrets engine. This
 plugin generates database credentials dynamically based on configured roles for
 the Cassandra database.

website/content/docs/secrets/databases/couchbase.mdx

@@ -9,6 +9,8 @@ description: |-
 
 # Couchbase Database Secrets Engine
 
+@include 'x509-sha1-deprecation.mdx'
+
 Couchbase is one of the supported plugins for the database secrets engine. This
 plugin generates database credentials dynamically based on configured roles for
 the Couchbase database.

website/content/docs/secrets/databases/elasticdb.mdx

@@ -12,6 +12,8 @@ description: >-
 
 # Elasticsearch Database Secrets Engine
 
+@include 'x509-sha1-deprecation.mdx'
+
 Elasticsearch is one of the supported plugins for the database secrets engine. This
 plugin generates database credentials dynamically based on configured roles for
 Elasticsearch.

website/content/docs/secrets/databases/influxdb.mdx

@@ -9,6 +9,8 @@ description: |-
 
 # InfluxDB Database Secrets Engine
 
+@include 'x509-sha1-deprecation.mdx'
+
 InfluxDB is one of the supported plugins for the database secrets engine. This
 plugin generates database credentials dynamically based on configured roles for
 the InfluxDB database.

website/content/docs/secrets/databases/mongodb.mdx

@@ -9,6 +9,8 @@ description: |-
 
 # MongoDB Database Secrets Engine
 
+@include 'x509-sha1-deprecation.mdx'
+
 MongoDB is one of the supported plugins for the database secrets engine. This
 plugin generates database credentials dynamically based on configured roles for
 the MongoDB database and also supports

website/content/docs/secrets/databases/mysql-maria.mdx

@@ -9,6 +9,8 @@ description: |-
 
 # MySQL/MariaDB Database Secrets Engine
 
+@include 'x509-sha1-deprecation.mdx'
+
 MySQL is one of the supported plugins for the database secrets engine. This
 plugin generates database credentials dynamically based on configured roles for
 the MySQL database, and also supports [Static

website/content/docs/secrets/kubernetes.mdx

@@ -8,6 +8,8 @@ description: >-
 
 # Kubernetes Secrets Engine
 
+@include 'x509-sha1-deprecation.mdx'
+
 The Kubernetes Secrets Engine for Vault generates Kubernetes service account tokens, and
 optionally service accounts, role bindings, and roles. The created service account tokens have
 a configurable TTL and any objects created are automatically deleted when the Vault lease expires.

website/content/docs/secrets/nomad.mdx

@@ -6,6 +6,8 @@ description: The Nomad secret backend for Vault generates tokens for Nomad dynam
 
 # Nomad Secret Backend
 
+@include 'x509-sha1-deprecation.mdx'
+
 Name: `Nomad`
 
 Nomad is a simple, flexible scheduler and workload orchestrator. The Nomad

website/content/docs/secrets/openldap.mdx

@@ -7,6 +7,8 @@ description: >-
 
 # OpenLDAP Secrets Engine
 
+@include 'x509-sha1-deprecation.mdx'
+
 The OpenLDAP secret engine allows management of LDAP entry passwords as well as dynamic creation of credentials.
 This engine supports interacting with Active Directory which is compatible with LDAP v3.
 

website/content/docs/secrets/pki/index.mdx

@@ -6,6 +6,8 @@ description: The PKI secrets engine for Vault generates TLS certificates.
 
 # PKI Secrets Engine
 
+@include 'x509-sha1-deprecation.mdx'
+
 The PKI secrets engine generates dynamic X.509 certificates. With this secrets
 engine, services can get certificates without going through the usual manual
 process of generating a private key and CSR, submitting to a CA, and waiting for

website/content/partials/x509-sha1-deprecation.mdx

@@ -0,0 +1,5 @@
+~> **Note**: This engine can use external X.509 certificates as part of TLS or signature validation.
+   Verifying signatures against X.509 certificates that use SHA-1 is deprecated and will no longer be
+   usable without a workaround starting in Vault 1.12. See the
+   [deprecation FAQ](/docs/deprecation/faq#q-what-is-the-impact-of-removing-support-for-x-509-certificates-with-signatures-that-use-sha-1)
+   for more information.