Add note about X.509 SHA-1 deprecation to relevant plugins (#15672)
Add note about X.509 SHA-1 deprecation to relevant plugins Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
This commit is contained in:
parent
5bd83196dc
commit
9de0dbaef9
|
@ -6,6 +6,8 @@ description: This is the API documentation for the Vault AWS auth method.
|
||||||
|
|
||||||
# AWS Auth Method (API)
|
# AWS Auth Method (API)
|
||||||
|
|
||||||
|
@include 'x509-sha1-deprecation.mdx'
|
||||||
|
|
||||||
This is the API documentation for the Vault AWS auth method. For
|
This is the API documentation for the Vault AWS auth method. For
|
||||||
general information about the usage and operation of the AWS method, please
|
general information about the usage and operation of the AWS method, please
|
||||||
see the [Vault AWS method documentation](/docs/auth/aws).
|
see the [Vault AWS method documentation](/docs/auth/aws).
|
||||||
|
|
|
@ -8,6 +8,8 @@ description: |-
|
||||||
|
|
||||||
# TLS Certificate Auth Method (API)
|
# TLS Certificate Auth Method (API)
|
||||||
|
|
||||||
|
@include 'x509-sha1-deprecation.mdx'
|
||||||
|
|
||||||
This is the API documentation for the Vault TLS Certificate authentication
|
This is the API documentation for the Vault TLS Certificate authentication
|
||||||
method. For general information about the usage and operation of the TLS
|
method. For general information about the usage and operation of the TLS
|
||||||
Certificate method, please see the [Vault TLS Certificate method documentation](/docs/auth/cert).
|
Certificate method, please see the [Vault TLS Certificate method documentation](/docs/auth/cert).
|
||||||
|
|
|
@ -6,6 +6,8 @@ description: This is the API documentation for the Vault Cloud Foundry auth meth
|
||||||
|
|
||||||
# Pivotal Cloud Foundry (CF) Auth Method (API)
|
# Pivotal Cloud Foundry (CF) Auth Method (API)
|
||||||
|
|
||||||
|
@include 'x509-sha1-deprecation.mdx'
|
||||||
|
|
||||||
This is the API documentation for the Vault CF auth method. For
|
This is the API documentation for the Vault CF auth method. For
|
||||||
general information about the usage and operation of the CF method, please
|
general information about the usage and operation of the CF method, please
|
||||||
see the [Vault CF method documentation](/docs/auth/cf).
|
see the [Vault CF method documentation](/docs/auth/cf).
|
||||||
|
|
|
@ -8,6 +8,8 @@ description: |-
|
||||||
|
|
||||||
# JWT/OIDC Auth Method (API)
|
# JWT/OIDC Auth Method (API)
|
||||||
|
|
||||||
|
@include 'x509-sha1-deprecation.mdx'
|
||||||
|
|
||||||
This is the API documentation for the Vault JWT/OIDC auth method
|
This is the API documentation for the Vault JWT/OIDC auth method
|
||||||
plugin. To learn more about the usage and operation, see the
|
plugin. To learn more about the usage and operation, see the
|
||||||
[Vault JWT/OIDC method documentation](/docs/auth/jwt).
|
[Vault JWT/OIDC method documentation](/docs/auth/jwt).
|
||||||
|
|
|
@ -6,6 +6,8 @@ description: This is the API documentation for the Vault Kerberos auth method pl
|
||||||
|
|
||||||
# Kerberos Auth Method (API)
|
# Kerberos Auth Method (API)
|
||||||
|
|
||||||
|
@include 'x509-sha1-deprecation.mdx'
|
||||||
|
|
||||||
This is the API documentation for the Vault Kerberos auth method plugin. To
|
This is the API documentation for the Vault Kerberos auth method plugin. To
|
||||||
learn more about the usage and operation, see the
|
learn more about the usage and operation, see the
|
||||||
[Vault Kerberos auth method](/docs/auth/kerberos).
|
[Vault Kerberos auth method](/docs/auth/kerberos).
|
||||||
|
|
|
@ -6,6 +6,8 @@ description: This is the API documentation for the Vault Kubernetes auth method
|
||||||
|
|
||||||
# Kubernetes Auth Method (API)
|
# Kubernetes Auth Method (API)
|
||||||
|
|
||||||
|
@include 'x509-sha1-deprecation.mdx'
|
||||||
|
|
||||||
This is the API documentation for the Vault Kubernetes auth method plugin. To
|
This is the API documentation for the Vault Kubernetes auth method plugin. To
|
||||||
learn more about the usage and operation, see the
|
learn more about the usage and operation, see the
|
||||||
[Vault Kubernetes auth method](/docs/auth/kubernetes).
|
[Vault Kubernetes auth method](/docs/auth/kubernetes).
|
||||||
|
|
|
@ -6,6 +6,8 @@ description: This is the API documentation for the Vault LDAP auth method.
|
||||||
|
|
||||||
# LDAP Auth Method (API)
|
# LDAP Auth Method (API)
|
||||||
|
|
||||||
|
@include 'x509-sha1-deprecation.mdx'
|
||||||
|
|
||||||
This is the API documentation for the Vault LDAP auth method. For
|
This is the API documentation for the Vault LDAP auth method. For
|
||||||
general information about the usage and operation of the LDAP method, please
|
general information about the usage and operation of the LDAP method, please
|
||||||
see the [Vault LDAP method documentation](/docs/auth/ldap).
|
see the [Vault LDAP method documentation](/docs/auth/ldap).
|
||||||
|
|
|
@ -6,6 +6,8 @@ description: This is the API documentation for the Vault Active Directory secret
|
||||||
|
|
||||||
# Active Directory Secrets Engine (API)
|
# Active Directory Secrets Engine (API)
|
||||||
|
|
||||||
|
@include 'x509-sha1-deprecation.mdx'
|
||||||
|
|
||||||
This is the API documentation for the Vault AD secrets engine. For general
|
This is the API documentation for the Vault AD secrets engine. For general
|
||||||
information about the usage and operation of the AD secrets engine, please see
|
information about the usage and operation of the AD secrets engine, please see
|
||||||
the [Vault Active Directory documentation](/docs/secrets/ad).
|
the [Vault Active Directory documentation](/docs/secrets/ad).
|
||||||
|
|
|
@ -6,6 +6,8 @@ description: This is the API documentation for the Vault Cassandra secrets engin
|
||||||
|
|
||||||
# Cassandra Secrets Engine (API)
|
# Cassandra Secrets Engine (API)
|
||||||
|
|
||||||
|
@include 'x509-sha1-deprecation.mdx'
|
||||||
|
|
||||||
~> **Deprecation Note:** This backend is deprecated in favor of the
|
~> **Deprecation Note:** This backend is deprecated in favor of the
|
||||||
combined databases backend added in v0.7.1. See the API documentation for
|
combined databases backend added in v0.7.1. See the API documentation for
|
||||||
the new implementation of this backend at
|
the new implementation of this backend at
|
||||||
|
|
|
@ -6,6 +6,8 @@ description: This is the API documentation for the Vault Consul secrets engine.
|
||||||
|
|
||||||
# Consul Secrets Engine (API)
|
# Consul Secrets Engine (API)
|
||||||
|
|
||||||
|
@include 'x509-sha1-deprecation.mdx'
|
||||||
|
|
||||||
This is the API documentation for the Vault Consul secrets engine. For general
|
This is the API documentation for the Vault Consul secrets engine. For general
|
||||||
information about the usage and operation of the Consul secrets engine, please
|
information about the usage and operation of the Consul secrets engine, please
|
||||||
see the [Vault Consul documentation](/docs/secrets/consul).
|
see the [Vault Consul documentation](/docs/secrets/consul).
|
||||||
|
|
|
@ -8,6 +8,8 @@ description: >-
|
||||||
|
|
||||||
# Cassandra Database Plugin HTTP API
|
# Cassandra Database Plugin HTTP API
|
||||||
|
|
||||||
|
@include 'x509-sha1-deprecation.mdx'
|
||||||
|
|
||||||
The Cassandra database plugin is one of the supported plugins for the database
|
The Cassandra database plugin is one of the supported plugins for the database
|
||||||
secrets engine. This plugin generates database credentials dynamically based on
|
secrets engine. This plugin generates database credentials dynamically based on
|
||||||
configured roles for the Cassandra database.
|
configured roles for the Cassandra database.
|
||||||
|
|
|
@ -8,6 +8,8 @@ description: >-
|
||||||
|
|
||||||
# Couchbase Database Plugin HTTP API
|
# Couchbase Database Plugin HTTP API
|
||||||
|
|
||||||
|
@include 'x509-sha1-deprecation.mdx'
|
||||||
|
|
||||||
The Couchbase database plugin is one of the supported plugins for the database
|
The Couchbase database plugin is one of the supported plugins for the database
|
||||||
secrets engine. This plugin generates database credentials dynamically based on
|
secrets engine. This plugin generates database credentials dynamically based on
|
||||||
configured roles for the Couchbase database.
|
configured roles for the Couchbase database.
|
||||||
|
|
|
@ -8,6 +8,8 @@ description: >-
|
||||||
|
|
||||||
# Elasticsearch Database Plugin HTTP API
|
# Elasticsearch Database Plugin HTTP API
|
||||||
|
|
||||||
|
@include 'x509-sha1-deprecation.mdx'
|
||||||
|
|
||||||
The Elasticsearch database plugin is one of the supported plugins for the database
|
The Elasticsearch database plugin is one of the supported plugins for the database
|
||||||
secrets engine. This plugin generates credentials dynamically based on
|
secrets engine. This plugin generates credentials dynamically based on
|
||||||
configured roles for Elasticsearch.
|
configured roles for Elasticsearch.
|
||||||
|
|
|
@ -8,6 +8,8 @@ description: >-
|
||||||
|
|
||||||
# Influxdb Database Plugin HTTP API
|
# Influxdb Database Plugin HTTP API
|
||||||
|
|
||||||
|
@include 'x509-sha1-deprecation.mdx'
|
||||||
|
|
||||||
The Influxdb database plugin is one of the supported plugins for the database
|
The Influxdb database plugin is one of the supported plugins for the database
|
||||||
secrets engine. This plugin generates database credentials dynamically based on
|
secrets engine. This plugin generates database credentials dynamically based on
|
||||||
configured roles for the Influxdb database.
|
configured roles for the Influxdb database.
|
||||||
|
|
|
@ -8,6 +8,8 @@ description: >-
|
||||||
|
|
||||||
# MongoDB Database Plugin HTTP API
|
# MongoDB Database Plugin HTTP API
|
||||||
|
|
||||||
|
@include 'x509-sha1-deprecation.mdx'
|
||||||
|
|
||||||
The MongoDB database plugin is one of the supported plugins for the database
|
The MongoDB database plugin is one of the supported plugins for the database
|
||||||
secrets engine. This plugin generates database credentials dynamically based on
|
secrets engine. This plugin generates database credentials dynamically based on
|
||||||
configured roles for the MongoDB database.
|
configured roles for the MongoDB database.
|
||||||
|
|
|
@ -8,6 +8,8 @@ description: >-
|
||||||
|
|
||||||
# MySQL/MariaDB Database Plugin HTTP API
|
# MySQL/MariaDB Database Plugin HTTP API
|
||||||
|
|
||||||
|
@include 'x509-sha1-deprecation.mdx'
|
||||||
|
|
||||||
The MySQL database plugin is one of the supported plugins for the database
|
The MySQL database plugin is one of the supported plugins for the database
|
||||||
secrets engine. This plugin generates database credentials dynamically based on
|
secrets engine. This plugin generates database credentials dynamically based on
|
||||||
configured roles for the MySQL database.
|
configured roles for the MySQL database.
|
||||||
|
|
|
@ -6,6 +6,8 @@ description: This is the API documentation for the Vault KMIP secrets engine.
|
||||||
|
|
||||||
# KMIP Secrets Engine (API)
|
# KMIP Secrets Engine (API)
|
||||||
|
|
||||||
|
@include 'x509-sha1-deprecation.mdx'
|
||||||
|
|
||||||
This is the API documentation for the Vault KMIP secrets engine. For general
|
This is the API documentation for the Vault KMIP secrets engine. For general
|
||||||
information about the usage and operation of
|
information about the usage and operation of
|
||||||
the KMIP secrets engine, please see [these docs](/docs/secrets/kmip).
|
the KMIP secrets engine, please see [these docs](/docs/secrets/kmip).
|
||||||
|
|
|
@ -6,6 +6,8 @@ description: This is the API documentation for the Vault Kubernetes secrets engi
|
||||||
|
|
||||||
# Kubernetes Secrets Engine (API)
|
# Kubernetes Secrets Engine (API)
|
||||||
|
|
||||||
|
@include 'x509-sha1-deprecation.mdx'
|
||||||
|
|
||||||
This is the API documentation for the Vault Kubernetes secrets engine. To
|
This is the API documentation for the Vault Kubernetes secrets engine. To
|
||||||
learn more about the usage and operation, see the
|
learn more about the usage and operation, see the
|
||||||
[Kubernetes secrets engine documentation](/docs/secrets/kubernetes).
|
[Kubernetes secrets engine documentation](/docs/secrets/kubernetes).
|
||||||
|
|
|
@ -6,6 +6,8 @@ description: This is the API documentation for the Vault Nomad secret backend.
|
||||||
|
|
||||||
# Nomad Secret Backend HTTP API
|
# Nomad Secret Backend HTTP API
|
||||||
|
|
||||||
|
@include 'x509-sha1-deprecation.mdx'
|
||||||
|
|
||||||
This is the API documentation for the Vault Nomad secret backend. For general
|
This is the API documentation for the Vault Nomad secret backend. For general
|
||||||
information about the usage and operation of the Nomad backend, please see the
|
information about the usage and operation of the Nomad backend, please see the
|
||||||
[Vault Nomad backend documentation](/docs/secrets/nomad).
|
[Vault Nomad backend documentation](/docs/secrets/nomad).
|
||||||
|
|
|
@ -6,6 +6,8 @@ description: This is the API documentation for the Vault OpenLDAP secrets engine
|
||||||
|
|
||||||
# OpenLDAP Secrets Engine (API)
|
# OpenLDAP Secrets Engine (API)
|
||||||
|
|
||||||
|
@include 'x509-sha1-deprecation.mdx'
|
||||||
|
|
||||||
This is the API documentation for the Vault OpenLDAP secrets engine. For general
|
This is the API documentation for the Vault OpenLDAP secrets engine. For general
|
||||||
information about the usage and operation of the OpenLDAP secrets engine,
|
information about the usage and operation of the OpenLDAP secrets engine,
|
||||||
please see [these docs](/docs/secrets/openldap).
|
please see [these docs](/docs/secrets/openldap).
|
||||||
|
|
|
@ -6,6 +6,8 @@ description: This is the API documentation for the Vault PKI secrets engine.
|
||||||
|
|
||||||
# PKI Secrets Engine (API)
|
# PKI Secrets Engine (API)
|
||||||
|
|
||||||
|
@include 'x509-sha1-deprecation.mdx'
|
||||||
|
|
||||||
This is the API documentation for the Vault PKI secrets engine. For general
|
This is the API documentation for the Vault PKI secrets engine. For general
|
||||||
information about the usage and operation of the PKI secrets engine, please see
|
information about the usage and operation of the PKI secrets engine, please see
|
||||||
the [PKI documentation](/docs/secrets/pki).
|
the [PKI documentation](/docs/secrets/pki).
|
||||||
|
|
|
@ -6,6 +6,8 @@ description: The aws auth method allows automated authentication of AWS entities
|
||||||
|
|
||||||
# AWS Auth Method
|
# AWS Auth Method
|
||||||
|
|
||||||
|
@include 'x509-sha1-deprecation.mdx'
|
||||||
|
|
||||||
The `aws` auth method provides an automated mechanism to retrieve a Vault token
|
The `aws` auth method provides an automated mechanism to retrieve a Vault token
|
||||||
for IAM principals and AWS EC2 instances. Unlike most Vault auth methods, this
|
for IAM principals and AWS EC2 instances. Unlike most Vault auth methods, this
|
||||||
method does not require manual first-deploying, or provisioning
|
method does not require manual first-deploying, or provisioning
|
||||||
|
|
|
@ -8,6 +8,8 @@ description: >-
|
||||||
|
|
||||||
# TLS Certificates Auth Method
|
# TLS Certificates Auth Method
|
||||||
|
|
||||||
|
@include 'x509-sha1-deprecation.mdx'
|
||||||
|
|
||||||
The `cert` auth method allows authentication using SSL/TLS client certificates
|
The `cert` auth method allows authentication using SSL/TLS client certificates
|
||||||
which are either signed by a CA or self-signed.
|
which are either signed by a CA or self-signed.
|
||||||
|
|
||||||
|
|
|
@ -6,6 +6,8 @@ description: The cf auth method allows automated authentication of Cloud Foundry
|
||||||
|
|
||||||
# Cloud Foundry (CF) Auth Method
|
# Cloud Foundry (CF) Auth Method
|
||||||
|
|
||||||
|
@include 'x509-sha1-deprecation.mdx'
|
||||||
|
|
||||||
The `cf` auth method provides an automated mechanism to retrieve a Vault token
|
The `cf` auth method provides an automated mechanism to retrieve a Vault token
|
||||||
for CF instances. It leverages CF's [App and Container Identity Assurance](https://content.pivotal.io/blog/new-in-pcf-2-1-app-container-identity-assurance-via-automatic-cert-rotation).
|
for CF instances. It leverages CF's [App and Container Identity Assurance](https://content.pivotal.io/blog/new-in-pcf-2-1-app-container-identity-assurance-via-automatic-cert-rotation).
|
||||||
At a high level, this works as follows:
|
At a high level, this works as follows:
|
||||||
|
|
|
@ -8,6 +8,8 @@ description: >-
|
||||||
|
|
||||||
# JWT/OIDC Auth Method
|
# JWT/OIDC Auth Method
|
||||||
|
|
||||||
|
@include 'x509-sha1-deprecation.mdx'
|
||||||
|
|
||||||
The `jwt` auth method can be used to authenticate with Vault using
|
The `jwt` auth method can be used to authenticate with Vault using
|
||||||
[OIDC](https://en.wikipedia.org/wiki/OpenID_Connect) or by providing a
|
[OIDC](https://en.wikipedia.org/wiki/OpenID_Connect) or by providing a
|
||||||
[JWT](https://en.wikipedia.org/wiki/JSON_Web_Token).
|
[JWT](https://en.wikipedia.org/wiki/JSON_Web_Token).
|
||||||
|
|
|
@ -6,6 +6,8 @@ description: The Kerberos auth method allows automated authentication of Kerbero
|
||||||
|
|
||||||
# Kerberos Auth Method
|
# Kerberos Auth Method
|
||||||
|
|
||||||
|
@include 'x509-sha1-deprecation.mdx'
|
||||||
|
|
||||||
The `kerberos` auth method provides an automated mechanism to retrieve
|
The `kerberos` auth method provides an automated mechanism to retrieve
|
||||||
a Vault token for Kerberos entities.
|
a Vault token for Kerberos entities.
|
||||||
|
|
||||||
|
|
|
@ -8,6 +8,8 @@ description: |-
|
||||||
|
|
||||||
# Kubernetes Auth Method
|
# Kubernetes Auth Method
|
||||||
|
|
||||||
|
@include 'x509-sha1-deprecation.mdx'
|
||||||
|
|
||||||
The `kubernetes` auth method can be used to authenticate with Vault using a
|
The `kubernetes` auth method can be used to authenticate with Vault using a
|
||||||
Kubernetes Service Account Token. This method of authentication makes it easy to
|
Kubernetes Service Account Token. This method of authentication makes it easy to
|
||||||
introduce a Vault token into a Kubernetes Pod.
|
introduce a Vault token into a Kubernetes Pod.
|
||||||
|
|
|
@ -8,6 +8,8 @@ description: |-
|
||||||
|
|
||||||
# LDAP Auth Method
|
# LDAP Auth Method
|
||||||
|
|
||||||
|
@include 'x509-sha1-deprecation.mdx'
|
||||||
|
|
||||||
The `ldap` auth method allows authentication using an existing LDAP
|
The `ldap` auth method allows authentication using an existing LDAP
|
||||||
server and user/password credentials. This allows Vault to be integrated
|
server and user/password credentials. This allows Vault to be integrated
|
||||||
into environments using LDAP without duplicating the user/pass configuration
|
into environments using LDAP without duplicating the user/pass configuration
|
||||||
|
|
|
@ -13,6 +13,7 @@ This page provides frequently asked questions concerning decisions made about Va
|
||||||
- [Q: What is the impact on anyone using the legacy MFA feature?](#q-what-is-the-impact-on-anyone-using-the-legacy-mfa-feature)
|
- [Q: What is the impact on anyone using the legacy MFA feature?](#q-what-is-the-impact-on-anyone-using-the-legacy-mfa-feature)
|
||||||
- [Q: I'm currently using the Etcd storage backend feature. How does the deprecation impact me?](#q-i-m-currently-using-the-etcd-storage-backend-feature-how-does-the-deprecation-impact-me)
|
- [Q: I'm currently using the Etcd storage backend feature. How does the deprecation impact me?](#q-i-m-currently-using-the-etcd-storage-backend-feature-how-does-the-deprecation-impact-me)
|
||||||
- [Q: What should I do if I use Mount Filters, AppID, or any of the standalone DB engines?](#q-what-should-i-do-if-i-use-mount-filters-appid-or-any-of-the-standalone-db-engines)
|
- [Q: What should I do if I use Mount Filters, AppID, or any of the standalone DB engines?](#q-what-should-i-do-if-i-use-mount-filters-appid-or-any-of-the-standalone-db-engines)
|
||||||
|
- [Q: What is the impact of removing support for X.509 certificates with signatures that use SHA-1?](#q-what-is-the-impact-of-removing-support-for-x-509-certificates-with-signatures-that-use-sha-1)
|
||||||
|
|
||||||
### Q: What is the impact on anyone using the legacy MFA feature?
|
### Q: What is the impact on anyone using the legacy MFA feature?
|
||||||
|
|
||||||
|
@ -39,13 +40,48 @@ These features were deprecated in prior releases of Vault. We are targeting the
|
||||||
### Q: What is the impact of removing support for X.509 certificates with signatures that use SHA-1?
|
### Q: What is the impact of removing support for X.509 certificates with signatures that use SHA-1?
|
||||||
|
|
||||||
Starting with Vault 1.12.0, Vault will be built with Go 1.18.
|
Starting with Vault 1.12.0, Vault will be built with Go 1.18.
|
||||||
The Go 1.18 standard library [rejects X.509 certificates](https://tip.golang.org/doc/go1.18#sha1) whose signatures use a SHA-1 hash.
|
The Go 1.18 standard library X.509 signature validation [rejects signatures](https://go.dev/doc/go1.18#sha1) that use a SHA-1 hash.
|
||||||
|
|
||||||
If this issue impacts your usage of Vault, you can temporarily work around it by deploying Vault with the environment variable `GODEBUG=x509sha1=1` set.
|
If this issue impacts your usage of Vault, you can temporarily work around it by deploying Vault with the environment variable `GODEBUG=x509sha1=1` set.
|
||||||
This workaround will fail in a future version of Go, however, the Go team has not said when they will remove this workaround.
|
This workaround will fail in a future version of Go, however, the Go team has not said when they will remove this workaround.
|
||||||
|
|
||||||
|
If you want to check whether a certificate or CA contains a problematic signature, you can use the OpenSSL CLI:
|
||||||
|
|
||||||
|
```shell-session
|
||||||
|
$ openssl x509 -text -noout -in somecert.pem | grep sha1
|
||||||
|
|
||||||
|
Signature Algorithm: sha1WithRSAEncryption
|
||||||
|
Signature Algorithm: sha1WithRSAEncryption
|
||||||
|
```
|
||||||
|
|
||||||
|
Any signature algorithms that contain `sha1` will be potentially problematic.
|
||||||
|
|
||||||
Here are the use cases that may still use certificates with SHA-1:
|
Here are the use cases that may still use certificates with SHA-1:
|
||||||
|
|
||||||
- AWS Credential Plugin: [AWS](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html) can use SHA-1-based PKCS7 signatures for DSA key pairs.
|
#### Auth Methods
|
||||||
|
|
||||||
We will update this list as we do further research.
|
- [AWS Auth Method](/docs/auth/aws): [AWS](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html) can use SHA-1-based PKCS7 signatures for DSA key pairs.
|
||||||
|
- [Cloud Foundry (CF) Auth Method ](/docs/auth/cf)
|
||||||
|
- [Kerberos Auth Method](/docs/auth/kerberos)
|
||||||
|
- [Kubernetes Auth Method](/docs/auth/kubernetes)
|
||||||
|
- [LDAP Auth Method](/docs/auth/ldap)
|
||||||
|
- [JWT/OIDC Auth Method](/docs/auth/jwt/)
|
||||||
|
- [TLS Certificates Auth Method](/docs/auth/cert)
|
||||||
|
|
||||||
|
#### Database Secrets Engines
|
||||||
|
|
||||||
|
- [Cassandra Database Secrets Engine](/docs/secrets/databases/cassandra)
|
||||||
|
- [Couchbase Database Secrets Engine](/docs/secrets/databases/couchbase)
|
||||||
|
- [Elasticsearch Database Secrets Engine](/docs/secrets/databases/elasticdb)
|
||||||
|
- [InfluxDB Database Secrets Engine](/docs/secrets/databases/influxdb)
|
||||||
|
- [MongoDB Database Secrets Engine](/docs/secrets/databases/mongodb)
|
||||||
|
- [MySQL/MariaDB Database Secrets Engine](/docs/secrets/databases/mysql-maria)
|
||||||
|
|
||||||
|
#### Secrets Engines
|
||||||
|
|
||||||
|
- [Active Directory Secrets Engine](/docs/secrets/ad)
|
||||||
|
- [Consul Secrets Engine](/docs/secrets/consul)
|
||||||
|
- [Kubernetes Secrets Engine](/docs/secrets/kubernetes)
|
||||||
|
- [Nomad Secrets Engine](/docs/secrets/nomad)
|
||||||
|
- [OpenLDAP Secrets Engine](/docs/secrets/openldap)
|
||||||
|
- [PKI Secrets Engine](/docs/secrets/pki/)
|
|
@ -7,6 +7,8 @@ description: >-
|
||||||
|
|
||||||
# Active Directory Secrets Engine
|
# Active Directory Secrets Engine
|
||||||
|
|
||||||
|
@include 'x509-sha1-deprecation.mdx'
|
||||||
|
|
||||||
The Active Directory (AD) secrets engine is a plugin residing [here](https://github.com/hashicorp/vault-plugin-secrets-active-directory).
|
The Active Directory (AD) secrets engine is a plugin residing [here](https://github.com/hashicorp/vault-plugin-secrets-active-directory).
|
||||||
It has two main features.
|
It has two main features.
|
||||||
|
|
||||||
|
|
|
@ -6,6 +6,8 @@ description: The Consul secrets engine for Vault generates tokens for Consul dyn
|
||||||
|
|
||||||
# Consul Secrets Engine
|
# Consul Secrets Engine
|
||||||
|
|
||||||
|
@include 'x509-sha1-deprecation.mdx'
|
||||||
|
|
||||||
The Consul secrets engine generates [Consul](https://www.consul.io) API tokens
|
The Consul secrets engine generates [Consul](https://www.consul.io) API tokens
|
||||||
dynamically based on Consul ACL policies.
|
dynamically based on Consul ACL policies.
|
||||||
|
|
||||||
|
|
|
@ -9,6 +9,8 @@ description: |-
|
||||||
|
|
||||||
# Cassandra Database Secrets Engine
|
# Cassandra Database Secrets Engine
|
||||||
|
|
||||||
|
@include 'x509-sha1-deprecation.mdx'
|
||||||
|
|
||||||
Cassandra is one of the supported plugins for the database secrets engine. This
|
Cassandra is one of the supported plugins for the database secrets engine. This
|
||||||
plugin generates database credentials dynamically based on configured roles for
|
plugin generates database credentials dynamically based on configured roles for
|
||||||
the Cassandra database.
|
the Cassandra database.
|
||||||
|
|
|
@ -9,6 +9,8 @@ description: |-
|
||||||
|
|
||||||
# Couchbase Database Secrets Engine
|
# Couchbase Database Secrets Engine
|
||||||
|
|
||||||
|
@include 'x509-sha1-deprecation.mdx'
|
||||||
|
|
||||||
Couchbase is one of the supported plugins for the database secrets engine. This
|
Couchbase is one of the supported plugins for the database secrets engine. This
|
||||||
plugin generates database credentials dynamically based on configured roles for
|
plugin generates database credentials dynamically based on configured roles for
|
||||||
the Couchbase database.
|
the Couchbase database.
|
||||||
|
|
|
@ -12,6 +12,8 @@ description: >-
|
||||||
|
|
||||||
# Elasticsearch Database Secrets Engine
|
# Elasticsearch Database Secrets Engine
|
||||||
|
|
||||||
|
@include 'x509-sha1-deprecation.mdx'
|
||||||
|
|
||||||
Elasticsearch is one of the supported plugins for the database secrets engine. This
|
Elasticsearch is one of the supported plugins for the database secrets engine. This
|
||||||
plugin generates database credentials dynamically based on configured roles for
|
plugin generates database credentials dynamically based on configured roles for
|
||||||
Elasticsearch.
|
Elasticsearch.
|
||||||
|
|
|
@ -9,6 +9,8 @@ description: |-
|
||||||
|
|
||||||
# InfluxDB Database Secrets Engine
|
# InfluxDB Database Secrets Engine
|
||||||
|
|
||||||
|
@include 'x509-sha1-deprecation.mdx'
|
||||||
|
|
||||||
InfluxDB is one of the supported plugins for the database secrets engine. This
|
InfluxDB is one of the supported plugins for the database secrets engine. This
|
||||||
plugin generates database credentials dynamically based on configured roles for
|
plugin generates database credentials dynamically based on configured roles for
|
||||||
the InfluxDB database.
|
the InfluxDB database.
|
||||||
|
|
|
@ -9,6 +9,8 @@ description: |-
|
||||||
|
|
||||||
# MongoDB Database Secrets Engine
|
# MongoDB Database Secrets Engine
|
||||||
|
|
||||||
|
@include 'x509-sha1-deprecation.mdx'
|
||||||
|
|
||||||
MongoDB is one of the supported plugins for the database secrets engine. This
|
MongoDB is one of the supported plugins for the database secrets engine. This
|
||||||
plugin generates database credentials dynamically based on configured roles for
|
plugin generates database credentials dynamically based on configured roles for
|
||||||
the MongoDB database and also supports
|
the MongoDB database and also supports
|
||||||
|
|
|
@ -9,6 +9,8 @@ description: |-
|
||||||
|
|
||||||
# MySQL/MariaDB Database Secrets Engine
|
# MySQL/MariaDB Database Secrets Engine
|
||||||
|
|
||||||
|
@include 'x509-sha1-deprecation.mdx'
|
||||||
|
|
||||||
MySQL is one of the supported plugins for the database secrets engine. This
|
MySQL is one of the supported plugins for the database secrets engine. This
|
||||||
plugin generates database credentials dynamically based on configured roles for
|
plugin generates database credentials dynamically based on configured roles for
|
||||||
the MySQL database, and also supports [Static
|
the MySQL database, and also supports [Static
|
||||||
|
|
|
@ -8,6 +8,8 @@ description: >-
|
||||||
|
|
||||||
# Kubernetes Secrets Engine
|
# Kubernetes Secrets Engine
|
||||||
|
|
||||||
|
@include 'x509-sha1-deprecation.mdx'
|
||||||
|
|
||||||
The Kubernetes Secrets Engine for Vault generates Kubernetes service account tokens, and
|
The Kubernetes Secrets Engine for Vault generates Kubernetes service account tokens, and
|
||||||
optionally service accounts, role bindings, and roles. The created service account tokens have
|
optionally service accounts, role bindings, and roles. The created service account tokens have
|
||||||
a configurable TTL and any objects created are automatically deleted when the Vault lease expires.
|
a configurable TTL and any objects created are automatically deleted when the Vault lease expires.
|
||||||
|
|
|
@ -6,6 +6,8 @@ description: The Nomad secret backend for Vault generates tokens for Nomad dynam
|
||||||
|
|
||||||
# Nomad Secret Backend
|
# Nomad Secret Backend
|
||||||
|
|
||||||
|
@include 'x509-sha1-deprecation.mdx'
|
||||||
|
|
||||||
Name: `Nomad`
|
Name: `Nomad`
|
||||||
|
|
||||||
Nomad is a simple, flexible scheduler and workload orchestrator. The Nomad
|
Nomad is a simple, flexible scheduler and workload orchestrator. The Nomad
|
||||||
|
|
|
@ -7,6 +7,8 @@ description: >-
|
||||||
|
|
||||||
# OpenLDAP Secrets Engine
|
# OpenLDAP Secrets Engine
|
||||||
|
|
||||||
|
@include 'x509-sha1-deprecation.mdx'
|
||||||
|
|
||||||
The OpenLDAP secret engine allows management of LDAP entry passwords as well as dynamic creation of credentials.
|
The OpenLDAP secret engine allows management of LDAP entry passwords as well as dynamic creation of credentials.
|
||||||
This engine supports interacting with Active Directory which is compatible with LDAP v3.
|
This engine supports interacting with Active Directory which is compatible with LDAP v3.
|
||||||
|
|
||||||
|
|
|
@ -6,6 +6,8 @@ description: The PKI secrets engine for Vault generates TLS certificates.
|
||||||
|
|
||||||
# PKI Secrets Engine
|
# PKI Secrets Engine
|
||||||
|
|
||||||
|
@include 'x509-sha1-deprecation.mdx'
|
||||||
|
|
||||||
The PKI secrets engine generates dynamic X.509 certificates. With this secrets
|
The PKI secrets engine generates dynamic X.509 certificates. With this secrets
|
||||||
engine, services can get certificates without going through the usual manual
|
engine, services can get certificates without going through the usual manual
|
||||||
process of generating a private key and CSR, submitting to a CA, and waiting for
|
process of generating a private key and CSR, submitting to a CA, and waiting for
|
||||||
|
|
5
website/content/partials/x509-sha1-deprecation.mdx
Normal file
5
website/content/partials/x509-sha1-deprecation.mdx
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
~> **Note**: This engine can use external X.509 certificates as part of TLS or signature validation.
|
||||||
|
Verifying signatures against X.509 certificates that use SHA-1 is deprecated and will no longer be
|
||||||
|
usable without a workaround starting in Vault 1.12. See the
|
||||||
|
[deprecation FAQ](/docs/deprecation/faq#q-what-is-the-impact-of-removing-support-for-x-509-certificates-with-signatures-that-use-sha-1)
|
||||||
|
for more information.
|
Loading…
Reference in a new issue