a3dfde5cec
* conversion stage 1 * correct image paths * add sidebar title to frontmatter * docs/concepts and docs/internals * configuration docs and multi-level nav corrections * commands docs, index file corrections, small item nav correction * secrets converted * auth * add enterprise and agent docs * add extra dividers * secret section, wip * correct sidebar nav title in front matter for apu section, start working on api items * auth and backend, a couple directory structure fixes * remove old docs * intro side nav converted * reset sidebar styles, add hashi-global-styles * basic styling for nav sidebar * folder collapse functionality * patch up border length on last list item * wip restructure for content component * taking middleman hacking to the extreme, but its working * small css fix * add new mega nav * fix a small mistake from the rebase * fix a content resolution issue with middleman * title a couple missing docs pages * update deps, remove temporary markup * community page * footer to layout, community page css adjustments * wip downloads page * deps updated, downloads page ready * fix community page * homepage progress * add components, adjust spacing * docs and api landing pages * a bunch of fixes, add docs and api landing pages * update deps, add deploy scripts * add readme note * update deploy command * overview page, index title * Update doc fields Note this still requires the link fields to be populated -- this is solely related to copy on the description fields * Update api_basic_categories.yml Updated API category descriptions. Like the document descriptions you'll still need to update the link headers to the proper target pages. * Add bottom hero, adjust CSS, responsive friendly * Add mega nav title * homepage adjustments, asset boosts * small fixes * docs page styling fixes * meganav title * some category link corrections * Update API categories page updated to reflect the second level headings for api categories * Update docs_detailed_categories.yml Updated to represent the existing docs structure * Update docs_detailed_categories.yml * docs page data fix, extra operator page remove * api data fix * fix makefile * update deps, add product subnav to docs and api landing pages * Rearrange non-hands-on guides to _docs_ Since there is no place for these on learn.hashicorp, we'll put them under _docs_. * WIP Redirects for guides to docs * content and component updates * font weight hotfix, redirects * fix guides and intro sidenavs * fix some redirects * small style tweaks * Redirects to learn and internally to docs * Remove redirect to `/vault` * Remove `.html` from destination on redirects * fix incorrect index redirect * final touchups * address feedback from michell for makefile and product downloads
62 lines
2.7 KiB
Markdown
62 lines
2.7 KiB
Markdown
---
|
|
layout: "docs"
|
|
page_title: "Upgrading to Vault 0.5.1 - Guides"
|
|
sidebar_title: "Upgrade to 0.5.1"
|
|
sidebar_current: "docs-upgrading-to-0.5.1"
|
|
description: |-
|
|
This page contains the list of breaking changes for Vault 0.5.1. Please read
|
|
it carefully.
|
|
---
|
|
|
|
# Overview
|
|
|
|
This page contains the list of breaking changes for Vault 0.5.1. Please read it
|
|
carefully.
|
|
|
|
## PKI Backend Disallows RSA Keys < 2048 Bits
|
|
|
|
The PKI backend now refuses to issue a certificate, sign a CSR, or save a role
|
|
that specifies an RSA key of less than 2048 bits. Smaller keys are considered
|
|
unsafe and are disallowed in the Internet PKI. Although this may require
|
|
updating your roles, we do not expect any other breaks from this; since its
|
|
inception the PKI backend has mandated SHA256 hashes for its signatures, and
|
|
software able to handle these certificates should be able to handle
|
|
certificates with >= 2048-bit RSA keys as well.
|
|
|
|
## PKI Backend Does Not Automatically Delete Expired Certificates
|
|
|
|
The PKI backend now does not automatically delete expired certificates,
|
|
including from the CRL. Doing so could lead to a situation where a time
|
|
mismatch between the Vault server and clients could result in a certificate
|
|
that would not be considered expired by a client being removed from the CRL.
|
|
|
|
Vault strives for determinism and putting the operator in control, so expunging
|
|
expired certificates has been moved to a new function at `pki/tidy`. You can
|
|
flexibly determine whether to tidy up from the revocation list, the general
|
|
certificate storage, or both. In addition, you can specify a safety buffer
|
|
(defaulting to 72 hours) to ensure that any time discrepancies between your
|
|
hosts is accounted for.
|
|
|
|
## Cert auth method Performs Client Checking During Renewals
|
|
|
|
The `cert` backend now performs a variant of channel binding at renewal time
|
|
for increased security. In order to not overly burden clients, a notion of
|
|
identity is used, as follows:
|
|
|
|
- At both login and renewal time, the validity of the presented client
|
|
certificate is checked
|
|
- At login time, the key ID of both the client certificate and its issuing
|
|
certificate are stored
|
|
- At renewal time, the key ID of both the client certificate and its issuing
|
|
certificate must match those stored at login time
|
|
|
|
Matching on the key ID rather than the serial number allows tokens to be
|
|
renewed even if the CA or the client certificate used are rotated; so long as
|
|
the same key was used to generate the certificate (via a CSR) and sign the
|
|
certificate, renewal is allowed. As Vault encourages short-lived secrets,
|
|
including client certificates (for instance, those issued by the `pki`
|
|
backend), this is a useful approach compared to strict issuer/serial number
|
|
checking.
|
|
|
|
You can use the new `cert/config` endpoint to disable this behavior.
|