Add note about X.509 SHA-1 deprecation to relevant plugins (#15672)

Add note about X.509 SHA-1 deprecation to relevant plugins

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
This commit is contained in:
Christopher Swenson 2022-06-01 12:41:11 -07:00 committed by GitHub
parent 5bd83196dc
commit 9de0dbaef9
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
42 changed files with 124 additions and 3 deletions

View file

@ -6,6 +6,8 @@ description: This is the API documentation for the Vault AWS auth method.
# AWS Auth Method (API) # AWS Auth Method (API)
@include 'x509-sha1-deprecation.mdx'
This is the API documentation for the Vault AWS auth method. For This is the API documentation for the Vault AWS auth method. For
general information about the usage and operation of the AWS method, please general information about the usage and operation of the AWS method, please
see the [Vault AWS method documentation](/docs/auth/aws). see the [Vault AWS method documentation](/docs/auth/aws).

View file

@ -8,6 +8,8 @@ description: |-
# TLS Certificate Auth Method (API) # TLS Certificate Auth Method (API)
@include 'x509-sha1-deprecation.mdx'
This is the API documentation for the Vault TLS Certificate authentication This is the API documentation for the Vault TLS Certificate authentication
method. For general information about the usage and operation of the TLS method. For general information about the usage and operation of the TLS
Certificate method, please see the [Vault TLS Certificate method documentation](/docs/auth/cert). Certificate method, please see the [Vault TLS Certificate method documentation](/docs/auth/cert).

View file

@ -6,6 +6,8 @@ description: This is the API documentation for the Vault Cloud Foundry auth meth
# Pivotal Cloud Foundry (CF) Auth Method (API) # Pivotal Cloud Foundry (CF) Auth Method (API)
@include 'x509-sha1-deprecation.mdx'
This is the API documentation for the Vault CF auth method. For This is the API documentation for the Vault CF auth method. For
general information about the usage and operation of the CF method, please general information about the usage and operation of the CF method, please
see the [Vault CF method documentation](/docs/auth/cf). see the [Vault CF method documentation](/docs/auth/cf).

View file

@ -8,6 +8,8 @@ description: |-
# JWT/OIDC Auth Method (API) # JWT/OIDC Auth Method (API)
@include 'x509-sha1-deprecation.mdx'
This is the API documentation for the Vault JWT/OIDC auth method This is the API documentation for the Vault JWT/OIDC auth method
plugin. To learn more about the usage and operation, see the plugin. To learn more about the usage and operation, see the
[Vault JWT/OIDC method documentation](/docs/auth/jwt). [Vault JWT/OIDC method documentation](/docs/auth/jwt).

View file

@ -6,6 +6,8 @@ description: This is the API documentation for the Vault Kerberos auth method pl
# Kerberos Auth Method (API) # Kerberos Auth Method (API)
@include 'x509-sha1-deprecation.mdx'
This is the API documentation for the Vault Kerberos auth method plugin. To This is the API documentation for the Vault Kerberos auth method plugin. To
learn more about the usage and operation, see the learn more about the usage and operation, see the
[Vault Kerberos auth method](/docs/auth/kerberos). [Vault Kerberos auth method](/docs/auth/kerberos).

View file

@ -6,6 +6,8 @@ description: This is the API documentation for the Vault Kubernetes auth method
# Kubernetes Auth Method (API) # Kubernetes Auth Method (API)
@include 'x509-sha1-deprecation.mdx'
This is the API documentation for the Vault Kubernetes auth method plugin. To This is the API documentation for the Vault Kubernetes auth method plugin. To
learn more about the usage and operation, see the learn more about the usage and operation, see the
[Vault Kubernetes auth method](/docs/auth/kubernetes). [Vault Kubernetes auth method](/docs/auth/kubernetes).

View file

@ -6,6 +6,8 @@ description: This is the API documentation for the Vault LDAP auth method.
# LDAP Auth Method (API) # LDAP Auth Method (API)
@include 'x509-sha1-deprecation.mdx'
This is the API documentation for the Vault LDAP auth method. For This is the API documentation for the Vault LDAP auth method. For
general information about the usage and operation of the LDAP method, please general information about the usage and operation of the LDAP method, please
see the [Vault LDAP method documentation](/docs/auth/ldap). see the [Vault LDAP method documentation](/docs/auth/ldap).

View file

@ -6,6 +6,8 @@ description: This is the API documentation for the Vault Active Directory secret
# Active Directory Secrets Engine (API) # Active Directory Secrets Engine (API)
@include 'x509-sha1-deprecation.mdx'
This is the API documentation for the Vault AD secrets engine. For general This is the API documentation for the Vault AD secrets engine. For general
information about the usage and operation of the AD secrets engine, please see information about the usage and operation of the AD secrets engine, please see
the [Vault Active Directory documentation](/docs/secrets/ad). the [Vault Active Directory documentation](/docs/secrets/ad).

View file

@ -6,6 +6,8 @@ description: This is the API documentation for the Vault Cassandra secrets engin
# Cassandra Secrets Engine (API) # Cassandra Secrets Engine (API)
@include 'x509-sha1-deprecation.mdx'
~> **Deprecation Note:** This backend is deprecated in favor of the ~> **Deprecation Note:** This backend is deprecated in favor of the
combined databases backend added in v0.7.1. See the API documentation for combined databases backend added in v0.7.1. See the API documentation for
the new implementation of this backend at the new implementation of this backend at

View file

@ -6,6 +6,8 @@ description: This is the API documentation for the Vault Consul secrets engine.
# Consul Secrets Engine (API) # Consul Secrets Engine (API)
@include 'x509-sha1-deprecation.mdx'
This is the API documentation for the Vault Consul secrets engine. For general This is the API documentation for the Vault Consul secrets engine. For general
information about the usage and operation of the Consul secrets engine, please information about the usage and operation of the Consul secrets engine, please
see the [Vault Consul documentation](/docs/secrets/consul). see the [Vault Consul documentation](/docs/secrets/consul).

View file

@ -8,6 +8,8 @@ description: >-
# Cassandra Database Plugin HTTP API # Cassandra Database Plugin HTTP API
@include 'x509-sha1-deprecation.mdx'
The Cassandra database plugin is one of the supported plugins for the database The Cassandra database plugin is one of the supported plugins for the database
secrets engine. This plugin generates database credentials dynamically based on secrets engine. This plugin generates database credentials dynamically based on
configured roles for the Cassandra database. configured roles for the Cassandra database.

View file

@ -8,6 +8,8 @@ description: >-
# Couchbase Database Plugin HTTP API # Couchbase Database Plugin HTTP API
@include 'x509-sha1-deprecation.mdx'
The Couchbase database plugin is one of the supported plugins for the database The Couchbase database plugin is one of the supported plugins for the database
secrets engine. This plugin generates database credentials dynamically based on secrets engine. This plugin generates database credentials dynamically based on
configured roles for the Couchbase database. configured roles for the Couchbase database.

View file

@ -8,6 +8,8 @@ description: >-
# Elasticsearch Database Plugin HTTP API # Elasticsearch Database Plugin HTTP API
@include 'x509-sha1-deprecation.mdx'
The Elasticsearch database plugin is one of the supported plugins for the database The Elasticsearch database plugin is one of the supported plugins for the database
secrets engine. This plugin generates credentials dynamically based on secrets engine. This plugin generates credentials dynamically based on
configured roles for Elasticsearch. configured roles for Elasticsearch.

View file

@ -8,6 +8,8 @@ description: >-
# Influxdb Database Plugin HTTP API # Influxdb Database Plugin HTTP API
@include 'x509-sha1-deprecation.mdx'
The Influxdb database plugin is one of the supported plugins for the database The Influxdb database plugin is one of the supported plugins for the database
secrets engine. This plugin generates database credentials dynamically based on secrets engine. This plugin generates database credentials dynamically based on
configured roles for the Influxdb database. configured roles for the Influxdb database.

View file

@ -8,6 +8,8 @@ description: >-
# MongoDB Database Plugin HTTP API # MongoDB Database Plugin HTTP API
@include 'x509-sha1-deprecation.mdx'
The MongoDB database plugin is one of the supported plugins for the database The MongoDB database plugin is one of the supported plugins for the database
secrets engine. This plugin generates database credentials dynamically based on secrets engine. This plugin generates database credentials dynamically based on
configured roles for the MongoDB database. configured roles for the MongoDB database.

View file

@ -8,6 +8,8 @@ description: >-
# MySQL/MariaDB Database Plugin HTTP API # MySQL/MariaDB Database Plugin HTTP API
@include 'x509-sha1-deprecation.mdx'
The MySQL database plugin is one of the supported plugins for the database The MySQL database plugin is one of the supported plugins for the database
secrets engine. This plugin generates database credentials dynamically based on secrets engine. This plugin generates database credentials dynamically based on
configured roles for the MySQL database. configured roles for the MySQL database.

View file

@ -6,6 +6,8 @@ description: This is the API documentation for the Vault KMIP secrets engine.
# KMIP Secrets Engine (API) # KMIP Secrets Engine (API)
@include 'x509-sha1-deprecation.mdx'
This is the API documentation for the Vault KMIP secrets engine. For general This is the API documentation for the Vault KMIP secrets engine. For general
information about the usage and operation of information about the usage and operation of
the KMIP secrets engine, please see [these docs](/docs/secrets/kmip). the KMIP secrets engine, please see [these docs](/docs/secrets/kmip).

View file

@ -6,6 +6,8 @@ description: This is the API documentation for the Vault Kubernetes secrets engi
# Kubernetes Secrets Engine (API) # Kubernetes Secrets Engine (API)
@include 'x509-sha1-deprecation.mdx'
This is the API documentation for the Vault Kubernetes secrets engine. To This is the API documentation for the Vault Kubernetes secrets engine. To
learn more about the usage and operation, see the learn more about the usage and operation, see the
[Kubernetes secrets engine documentation](/docs/secrets/kubernetes). [Kubernetes secrets engine documentation](/docs/secrets/kubernetes).

View file

@ -6,6 +6,8 @@ description: This is the API documentation for the Vault Nomad secret backend.
# Nomad Secret Backend HTTP API # Nomad Secret Backend HTTP API
@include 'x509-sha1-deprecation.mdx'
This is the API documentation for the Vault Nomad secret backend. For general This is the API documentation for the Vault Nomad secret backend. For general
information about the usage and operation of the Nomad backend, please see the information about the usage and operation of the Nomad backend, please see the
[Vault Nomad backend documentation](/docs/secrets/nomad). [Vault Nomad backend documentation](/docs/secrets/nomad).

View file

@ -6,6 +6,8 @@ description: This is the API documentation for the Vault OpenLDAP secrets engine
# OpenLDAP Secrets Engine (API) # OpenLDAP Secrets Engine (API)
@include 'x509-sha1-deprecation.mdx'
This is the API documentation for the Vault OpenLDAP secrets engine. For general This is the API documentation for the Vault OpenLDAP secrets engine. For general
information about the usage and operation of the OpenLDAP secrets engine, information about the usage and operation of the OpenLDAP secrets engine,
please see [these docs](/docs/secrets/openldap). please see [these docs](/docs/secrets/openldap).

View file

@ -6,6 +6,8 @@ description: This is the API documentation for the Vault PKI secrets engine.
# PKI Secrets Engine (API) # PKI Secrets Engine (API)
@include 'x509-sha1-deprecation.mdx'
This is the API documentation for the Vault PKI secrets engine. For general This is the API documentation for the Vault PKI secrets engine. For general
information about the usage and operation of the PKI secrets engine, please see information about the usage and operation of the PKI secrets engine, please see
the [PKI documentation](/docs/secrets/pki). the [PKI documentation](/docs/secrets/pki).

View file

@ -6,6 +6,8 @@ description: The aws auth method allows automated authentication of AWS entities
# AWS Auth Method # AWS Auth Method
@include 'x509-sha1-deprecation.mdx'
The `aws` auth method provides an automated mechanism to retrieve a Vault token The `aws` auth method provides an automated mechanism to retrieve a Vault token
for IAM principals and AWS EC2 instances. Unlike most Vault auth methods, this for IAM principals and AWS EC2 instances. Unlike most Vault auth methods, this
method does not require manual first-deploying, or provisioning method does not require manual first-deploying, or provisioning

View file

@ -8,6 +8,8 @@ description: >-
# TLS Certificates Auth Method # TLS Certificates Auth Method
@include 'x509-sha1-deprecation.mdx'
The `cert` auth method allows authentication using SSL/TLS client certificates The `cert` auth method allows authentication using SSL/TLS client certificates
which are either signed by a CA or self-signed. which are either signed by a CA or self-signed.

View file

@ -6,6 +6,8 @@ description: The cf auth method allows automated authentication of Cloud Foundry
# Cloud Foundry (CF) Auth Method # Cloud Foundry (CF) Auth Method
@include 'x509-sha1-deprecation.mdx'
The `cf` auth method provides an automated mechanism to retrieve a Vault token The `cf` auth method provides an automated mechanism to retrieve a Vault token
for CF instances. It leverages CF's [App and Container Identity Assurance](https://content.pivotal.io/blog/new-in-pcf-2-1-app-container-identity-assurance-via-automatic-cert-rotation). for CF instances. It leverages CF's [App and Container Identity Assurance](https://content.pivotal.io/blog/new-in-pcf-2-1-app-container-identity-assurance-via-automatic-cert-rotation).
At a high level, this works as follows: At a high level, this works as follows:

View file

@ -8,6 +8,8 @@ description: >-
# JWT/OIDC Auth Method # JWT/OIDC Auth Method
@include 'x509-sha1-deprecation.mdx'
The `jwt` auth method can be used to authenticate with Vault using The `jwt` auth method can be used to authenticate with Vault using
[OIDC](https://en.wikipedia.org/wiki/OpenID_Connect) or by providing a [OIDC](https://en.wikipedia.org/wiki/OpenID_Connect) or by providing a
[JWT](https://en.wikipedia.org/wiki/JSON_Web_Token). [JWT](https://en.wikipedia.org/wiki/JSON_Web_Token).

View file

@ -6,6 +6,8 @@ description: The Kerberos auth method allows automated authentication of Kerbero
# Kerberos Auth Method # Kerberos Auth Method
@include 'x509-sha1-deprecation.mdx'
The `kerberos` auth method provides an automated mechanism to retrieve The `kerberos` auth method provides an automated mechanism to retrieve
a Vault token for Kerberos entities. a Vault token for Kerberos entities.

View file

@ -8,6 +8,8 @@ description: |-
# Kubernetes Auth Method # Kubernetes Auth Method
@include 'x509-sha1-deprecation.mdx'
The `kubernetes` auth method can be used to authenticate with Vault using a The `kubernetes` auth method can be used to authenticate with Vault using a
Kubernetes Service Account Token. This method of authentication makes it easy to Kubernetes Service Account Token. This method of authentication makes it easy to
introduce a Vault token into a Kubernetes Pod. introduce a Vault token into a Kubernetes Pod.

View file

@ -8,6 +8,8 @@ description: |-
# LDAP Auth Method # LDAP Auth Method
@include 'x509-sha1-deprecation.mdx'
The `ldap` auth method allows authentication using an existing LDAP The `ldap` auth method allows authentication using an existing LDAP
server and user/password credentials. This allows Vault to be integrated server and user/password credentials. This allows Vault to be integrated
into environments using LDAP without duplicating the user/pass configuration into environments using LDAP without duplicating the user/pass configuration

View file

@ -13,6 +13,7 @@ This page provides frequently asked questions concerning decisions made about Va
- [Q: What is the impact on anyone using the legacy MFA feature?](#q-what-is-the-impact-on-anyone-using-the-legacy-mfa-feature) - [Q: What is the impact on anyone using the legacy MFA feature?](#q-what-is-the-impact-on-anyone-using-the-legacy-mfa-feature)
- [Q: I'm currently using the Etcd storage backend feature. How does the deprecation impact me?](#q-i-m-currently-using-the-etcd-storage-backend-feature-how-does-the-deprecation-impact-me) - [Q: I'm currently using the Etcd storage backend feature. How does the deprecation impact me?](#q-i-m-currently-using-the-etcd-storage-backend-feature-how-does-the-deprecation-impact-me)
- [Q: What should I do if I use Mount Filters, AppID, or any of the standalone DB engines?](#q-what-should-i-do-if-i-use-mount-filters-appid-or-any-of-the-standalone-db-engines) - [Q: What should I do if I use Mount Filters, AppID, or any of the standalone DB engines?](#q-what-should-i-do-if-i-use-mount-filters-appid-or-any-of-the-standalone-db-engines)
- [Q: What is the impact of removing support for X.509 certificates with signatures that use SHA-1?](#q-what-is-the-impact-of-removing-support-for-x-509-certificates-with-signatures-that-use-sha-1)
### Q: What is the impact on anyone using the legacy MFA feature? ### Q: What is the impact on anyone using the legacy MFA feature?
@ -39,13 +40,48 @@ These features were deprecated in prior releases of Vault. We are targeting the
### Q: What is the impact of removing support for X.509 certificates with signatures that use SHA-1? ### Q: What is the impact of removing support for X.509 certificates with signatures that use SHA-1?
Starting with Vault 1.12.0, Vault will be built with Go 1.18. Starting with Vault 1.12.0, Vault will be built with Go 1.18.
The Go 1.18 standard library [rejects X.509 certificates](https://tip.golang.org/doc/go1.18#sha1) whose signatures use a SHA-1 hash. The Go 1.18 standard library X.509 signature validation [rejects signatures](https://go.dev/doc/go1.18#sha1) that use a SHA-1 hash.
If this issue impacts your usage of Vault, you can temporarily work around it by deploying Vault with the environment variable `GODEBUG=x509sha1=1` set. If this issue impacts your usage of Vault, you can temporarily work around it by deploying Vault with the environment variable `GODEBUG=x509sha1=1` set.
This workaround will fail in a future version of Go, however, the Go team has not said when they will remove this workaround. This workaround will fail in a future version of Go, however, the Go team has not said when they will remove this workaround.
If you want to check whether a certificate or CA contains a problematic signature, you can use the OpenSSL CLI:
```shell-session
$ openssl x509 -text -noout -in somecert.pem | grep sha1
Signature Algorithm: sha1WithRSAEncryption
Signature Algorithm: sha1WithRSAEncryption
```
Any signature algorithms that contain `sha1` will be potentially problematic.
Here are the use cases that may still use certificates with SHA-1: Here are the use cases that may still use certificates with SHA-1:
- AWS Credential Plugin: [AWS](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html) can use SHA-1-based PKCS7 signatures for DSA key pairs. #### Auth Methods
We will update this list as we do further research. - [AWS Auth Method](/docs/auth/aws): [AWS](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html) can use SHA-1-based PKCS7 signatures for DSA key pairs.
- [Cloud Foundry (CF) Auth Method ](/docs/auth/cf)
- [Kerberos Auth Method](/docs/auth/kerberos)
- [Kubernetes Auth Method](/docs/auth/kubernetes)
- [LDAP Auth Method](/docs/auth/ldap)
- [JWT/OIDC Auth Method](/docs/auth/jwt/)
- [TLS Certificates Auth Method](/docs/auth/cert)
#### Database Secrets Engines
- [Cassandra Database Secrets Engine](/docs/secrets/databases/cassandra)
- [Couchbase Database Secrets Engine](/docs/secrets/databases/couchbase)
- [Elasticsearch Database Secrets Engine](/docs/secrets/databases/elasticdb)
- [InfluxDB Database Secrets Engine](/docs/secrets/databases/influxdb)
- [MongoDB Database Secrets Engine](/docs/secrets/databases/mongodb)
- [MySQL/MariaDB Database Secrets Engine](/docs/secrets/databases/mysql-maria)
#### Secrets Engines
- [Active Directory Secrets Engine](/docs/secrets/ad)
- [Consul Secrets Engine](/docs/secrets/consul)
- [Kubernetes Secrets Engine](/docs/secrets/kubernetes)
- [Nomad Secrets Engine](/docs/secrets/nomad)
- [OpenLDAP Secrets Engine](/docs/secrets/openldap)
- [PKI Secrets Engine](/docs/secrets/pki/)

View file

@ -7,6 +7,8 @@ description: >-
# Active Directory Secrets Engine # Active Directory Secrets Engine
@include 'x509-sha1-deprecation.mdx'
The Active Directory (AD) secrets engine is a plugin residing [here](https://github.com/hashicorp/vault-plugin-secrets-active-directory). The Active Directory (AD) secrets engine is a plugin residing [here](https://github.com/hashicorp/vault-plugin-secrets-active-directory).
It has two main features. It has two main features.

View file

@ -6,6 +6,8 @@ description: The Consul secrets engine for Vault generates tokens for Consul dyn
# Consul Secrets Engine # Consul Secrets Engine
@include 'x509-sha1-deprecation.mdx'
The Consul secrets engine generates [Consul](https://www.consul.io) API tokens The Consul secrets engine generates [Consul](https://www.consul.io) API tokens
dynamically based on Consul ACL policies. dynamically based on Consul ACL policies.

View file

@ -9,6 +9,8 @@ description: |-
# Cassandra Database Secrets Engine # Cassandra Database Secrets Engine
@include 'x509-sha1-deprecation.mdx'
Cassandra is one of the supported plugins for the database secrets engine. This Cassandra is one of the supported plugins for the database secrets engine. This
plugin generates database credentials dynamically based on configured roles for plugin generates database credentials dynamically based on configured roles for
the Cassandra database. the Cassandra database.

View file

@ -9,6 +9,8 @@ description: |-
# Couchbase Database Secrets Engine # Couchbase Database Secrets Engine
@include 'x509-sha1-deprecation.mdx'
Couchbase is one of the supported plugins for the database secrets engine. This Couchbase is one of the supported plugins for the database secrets engine. This
plugin generates database credentials dynamically based on configured roles for plugin generates database credentials dynamically based on configured roles for
the Couchbase database. the Couchbase database.

View file

@ -12,6 +12,8 @@ description: >-
# Elasticsearch Database Secrets Engine # Elasticsearch Database Secrets Engine
@include 'x509-sha1-deprecation.mdx'
Elasticsearch is one of the supported plugins for the database secrets engine. This Elasticsearch is one of the supported plugins for the database secrets engine. This
plugin generates database credentials dynamically based on configured roles for plugin generates database credentials dynamically based on configured roles for
Elasticsearch. Elasticsearch.

View file

@ -9,6 +9,8 @@ description: |-
# InfluxDB Database Secrets Engine # InfluxDB Database Secrets Engine
@include 'x509-sha1-deprecation.mdx'
InfluxDB is one of the supported plugins for the database secrets engine. This InfluxDB is one of the supported plugins for the database secrets engine. This
plugin generates database credentials dynamically based on configured roles for plugin generates database credentials dynamically based on configured roles for
the InfluxDB database. the InfluxDB database.

View file

@ -9,6 +9,8 @@ description: |-
# MongoDB Database Secrets Engine # MongoDB Database Secrets Engine
@include 'x509-sha1-deprecation.mdx'
MongoDB is one of the supported plugins for the database secrets engine. This MongoDB is one of the supported plugins for the database secrets engine. This
plugin generates database credentials dynamically based on configured roles for plugin generates database credentials dynamically based on configured roles for
the MongoDB database and also supports the MongoDB database and also supports

View file

@ -9,6 +9,8 @@ description: |-
# MySQL/MariaDB Database Secrets Engine # MySQL/MariaDB Database Secrets Engine
@include 'x509-sha1-deprecation.mdx'
MySQL is one of the supported plugins for the database secrets engine. This MySQL is one of the supported plugins for the database secrets engine. This
plugin generates database credentials dynamically based on configured roles for plugin generates database credentials dynamically based on configured roles for
the MySQL database, and also supports [Static the MySQL database, and also supports [Static

View file

@ -8,6 +8,8 @@ description: >-
# Kubernetes Secrets Engine # Kubernetes Secrets Engine
@include 'x509-sha1-deprecation.mdx'
The Kubernetes Secrets Engine for Vault generates Kubernetes service account tokens, and The Kubernetes Secrets Engine for Vault generates Kubernetes service account tokens, and
optionally service accounts, role bindings, and roles. The created service account tokens have optionally service accounts, role bindings, and roles. The created service account tokens have
a configurable TTL and any objects created are automatically deleted when the Vault lease expires. a configurable TTL and any objects created are automatically deleted when the Vault lease expires.

View file

@ -6,6 +6,8 @@ description: The Nomad secret backend for Vault generates tokens for Nomad dynam
# Nomad Secret Backend # Nomad Secret Backend
@include 'x509-sha1-deprecation.mdx'
Name: `Nomad` Name: `Nomad`
Nomad is a simple, flexible scheduler and workload orchestrator. The Nomad Nomad is a simple, flexible scheduler and workload orchestrator. The Nomad

View file

@ -7,6 +7,8 @@ description: >-
# OpenLDAP Secrets Engine # OpenLDAP Secrets Engine
@include 'x509-sha1-deprecation.mdx'
The OpenLDAP secret engine allows management of LDAP entry passwords as well as dynamic creation of credentials. The OpenLDAP secret engine allows management of LDAP entry passwords as well as dynamic creation of credentials.
This engine supports interacting with Active Directory which is compatible with LDAP v3. This engine supports interacting with Active Directory which is compatible with LDAP v3.

View file

@ -6,6 +6,8 @@ description: The PKI secrets engine for Vault generates TLS certificates.
# PKI Secrets Engine # PKI Secrets Engine
@include 'x509-sha1-deprecation.mdx'
The PKI secrets engine generates dynamic X.509 certificates. With this secrets The PKI secrets engine generates dynamic X.509 certificates. With this secrets
engine, services can get certificates without going through the usual manual engine, services can get certificates without going through the usual manual
process of generating a private key and CSR, submitting to a CA, and waiting for process of generating a private key and CSR, submitting to a CA, and waiting for

View file

@ -0,0 +1,5 @@
~> **Note**: This engine can use external X.509 certificates as part of TLS or signature validation.
Verifying signatures against X.509 certificates that use SHA-1 is deprecated and will no longer be
usable without a workaround starting in Vault 1.12. See the
[deprecation FAQ](/docs/deprecation/faq#q-what-is-the-impact-of-removing-support-for-x-509-certificates-with-signatures-that-use-sha-1)
for more information.