Add information about an enterprise feature related to validating iss… (

#29300) * Add information about an enterprise feature related to validating issued certificates to the PKI API docs. * Update website/content/api-docs/secret/pki/index.mdx Update RFC name and link, as suggested by Steve. Co-authored-by: Steven Clark <[email protected]> * Update website/content/api-docs/secret/pki/index.mdx Update RFC name and link, as suggested by Steve. Co-authored-by: Steven Clark <[email protected]> * Update website/content/api-docs/secret/pki/index.mdx Update RFC name and link, as suggested by Steve. Co-authored-by: Steven Clark <[email protected]> * Update website/content/api-docs/secret/pki/index.mdx Update RFC name and link, as suggested by Steve. Co-authored-by: Steven Clark <[email protected]> * Update enterprise tag to be on the same line for vercel reasons. --------- Co-authored-by: Steven Clark <[email protected]>
hashicorp · Jan 9, 2025 · 55ca52f · 55ca52f
1 parent 4f14f7b
commit 55ca52f
Showing 1 changed file with 23 additions and 0 deletions.
diff --git a/website/content/api-docs/secret/pki/index.mdx b/website/content/api-docs/secret/pki/index.mdx
@@ -2758,6 +2758,29 @@ do so, import a new issuer and a new `issuer_id` will be assigned.
 ~> **Note**: If no cluster-local address is present and templating is used,
    issuance will fail.
 
+- `disable_critical_extension_checks` `(bool: false)` <EnterpriseAlert inline="true"/> - This determines whether this issuer is able
+  to issue certificates where the chain of trust (including the issued
+  certificate) contain critical extensions not processed by vault, breaking the
+  behavior required by [RFC 5280 Section 6.1](https://www.rfc-editor.org/rfc/rfc5280#section-6.1).
+
+- `disable_path_length_checks` `(bool: false)` <EnterpriseAlert inline="true"/> - This determines whether this issuer is able
+  to issue certificates where the chain of trust (including the final issued
+  certificate) is longer than allowed by a certificate authority in that chain,
+  breaking the behavior required by
+ [RFC 5280 Section 4.2.1.9](https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.9).
+
+- `disable_name_checks` `(bool: false)` <EnterpriseAlert inline="true"/> - This determines whether this issuer is able
+  to issue certificates where the chain of trust (including the final issued
+  certificate) contains a link in which the subject of the issuing certificate
+  does not match the named issuer of the certificate it signed, breaking the
+  behavior required by [RFC 5280 Section 4.1.2.4](https://www.rfc-editor.org/rfc/rfc5280#section-4.1.2.4).
+
+- `disable_name_constraint_checks` `(bool: false)` <EnterpriseAlert inline="true"/> - This determines whether this issuer is able
+  to issue certificates where the chain of trust (including the final issued
+  certificate) violates the name constraints critical extension of one of the
+  issuer certificates in the chain, breaking the behavior required by
+  [RFC 5280 Section 4.2.1.10](https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.10).
+
 #### Sample payload
 
 ```json