diff --git a/website/content/api-docs/auth/scep.mdx b/website/content/api-docs/auth/scep.mdx new file mode 100644 index 000000000000..0111fb545eb7 --- /dev/null +++ b/website/content/api-docs/auth/scep.mdx @@ -0,0 +1,206 @@ +--- +layout: api +page_title: SCEP - Auth Methods - HTTP API +description: |- + This is the API documentation for the Vault SCEP authentication + method. +--- + +# SCEP auth method (API) + +Use the SCEP authentication plugin API to interact with a mounted plugin +instance. For general information about the usage and operation of the +SCEP method, refer to the [Vault SCEP method documentation](/vault/docs/auth/scep). + + +## Create SCEP role + +Creates or updates a named SCEP role. + +| Method | Path | +|:-------|:------------------------| +| `POST` | `/auth/{mount_path}/role/:name` | + +### Parameters + +- `name` `(string: )` - The name of the SCEP role. +- `display_name` `(string: "")` - The `display_name` value for tokens + issued when authenticating against the role. Defaults to `name`. +- `auth_type` `(enum: )` - Required authentication type for the SCEP + role. Must be one of: `static-challenge`, `intune`. +- `challenge` `(string: "")` - The authentication challenge to use when + `auth_type` is `static-challenge`. + +@include 'tokenfields.mdx' + +### Sample payload + +```json +{ + "auth_type": "static-challenge", + "challenge": "super-secret-challenge", + "display_name": "test", + "token_policies": ["access-scep"], + "token_type": "batch" +} +``` + +### Sample request + +```shell-session +$ curl \ + --header "X-Vault-Token: ..." \ + --request POST \ + --data @payload.json + http://127.0.0.1:8200/v1/auth/scep/role/static-challenge-1 +``` + +### Sample response + +```json +{ + "request_id": "c22d68ec-ac3d-ea24-d5d0-efe07dcc0ef6", + "lease_id": "", + "renewable": false, + "lease_duration": 0, + "data": { + "auth_type": "static-challenge", + "display_name": "test", + "name": "static-challenge-1", + "token_bound_cidrs": [], + "token_explicit_max_ttl": 0, + "token_max_ttl": 0, + "token_no_default_policy": false, + "token_num_uses": 0, + "token_period": 0, + "token_policies": [ + "access-scep" + ], + "token_ttl": 0, + "token_type": "batch" + }, + "wrap_info": null, + "warnings": null, + "auth": null, + "mount_type": "scep" +} +``` + +## Read SCEP role + +Get information associated with the named role. + +| Method | Path | +|:-------|:------------------------| +| `GET` | `/auth/{mount_path}/role/:name` | + +### Parameters + +- `name` `(string: )` - The name of the SCEP role. + +### Sample request + +```shell-session +$ curl \ + --header "X-Vault-Token: ..." \ + http://127.0.0.1:8200/v1/auth/scep/role/static-challenge-1 +``` + +### Sample response + +```json +{ + "request_id": "07c9bfcc-ee30-6ba9-fce8-07bae5033989", + "lease_id": "", + "renewable": false, + "lease_duration": 0, + "data": { + "auth_type": "static-challenge", + "display_name": "static-challenge-1", + "name": "static-challenge-1", + "token_bound_cidrs": [], + "token_explicit_max_ttl": 0, + "token_max_ttl": 0, + "token_no_default_policy": false, + "token_num_uses": 0, + "token_period": 0, + "token_policies": [ + "access-scep" + ], + "token_ttl": 0, + "token_type": "batch" + }, + "wrap_info": null, + "warnings": null, + "auth": null, + "mount_type": "scep" +} +``` + +## List SCEP roles + +List all currently configured SCEP role names. + +| Method | Path | +| :----- | :----------------- | +| `LIST` | `/auth/{mount_path}/role` | + +### Sample request + +```shell-session +$ curl \ + --header "X-Vault-Token: ..." \ + --request LIST \ + http://127.0.0.1:8200/v1/auth/scep/role +``` + +### Sample response + +```json +{ + "auth": null, + "warnings": null, + "wrap_info": null, + "data": { + "keys": ["static-challenge-1", "intune-1"] + }, + "lease_duration": 0, + "renewable": false, + "lease_id": "" +} +``` + +## Delete SCEP role + +Delete the named role. + +| Method | Path | +|:---------|:------------------------| +| `DELETE` | `/auth/{mount_path}/role/:name` | + +### Parameters + +- `name` `(string: )` - The name of the SCEP role. + +### Sample request + +```shell-session +$ curl \ + --header "X-Vault-Token: ..." \ + --request DELETE \ + http://127.0.0.1:8200/v1/auth/scep/role/static-challenge-1 +``` + +## Login + +SCEP authentication endpoint for delegated authentication from a PKI mount. + +| Method | Path | +|:-------|:-------------------| +| `POST` | `/auth/{mount_path}/login` | + +### Parameters + +- `name` `(string: "")` - The SCEP role associated with the PKI mount. Leaving + `name` unset tells Vault to try all SCEP roles and return the first one that + matches. diff --git a/website/content/api-docs/secret/pki/index.mdx b/website/content/api-docs/secret/pki/index.mdx index 6533f530e024..15f5399a5fff 100644 --- a/website/content/api-docs/secret/pki/index.mdx +++ b/website/content/api-docs/secret/pki/index.mdx @@ -90,6 +90,7 @@ update your API calls accordingly. - [ACME - Automatic Certificate Management Environment](/vault/api-docs/secret/pki/issuance#acme-certificate-issuance) - [EST - Enrollment over Secure Transport ](/vault/api-docs/secret/pki/issuance#est-certificate-issuance) - [CMPv2 - Certificate Management Protocol (v2) ](/vault/api-docs/secret/pki/issuance#cmpv2-certificate-issuance) + - [SCEP - Simple Certificate Enrollment Protocol ](/vault/api-docs/secret/pki/issuance#scep-certificate-issuance) - [Cluster Scalability](#cluster-scalability) - [Managed Key](#managed-keys) (Enterprise Only) - [Vault CLI with DER/PEM responses](#vault-cli-with-der-pem-responses) diff --git a/website/content/api-docs/secret/pki/issuance.mdx b/website/content/api-docs/secret/pki/issuance.mdx index 35fa7ff72046..fc0c6fd200f1 100644 --- a/website/content/api-docs/secret/pki/issuance.mdx +++ b/website/content/api-docs/secret/pki/issuance.mdx @@ -24,6 +24,10 @@ description: This is the API documentation for the issuance protocol support in - [CMPv2 Protocol Paths ](#cmpv2-protocol-paths) - [Read CMPv2 Configuration ](#read-cmpv2-configuration) - [Set CMPv2 Configuration ](#set-cmpv2-configuration) +- [SCEP - Simple Certificate Enrollment Protocol ](#scep-certificate-issuance) + - [SCEP Protocol Paths ](#scep-protocol-paths) + - [Read SCEP Configuration ](#read-scep-configuration) + - [Set SCEP Configuration ](#set-scep-configuration) ## ACME certificate issuance @@ -192,7 +196,7 @@ This endpoint returns a list of all unused ACME binding tokens; once used, they will be removed from this list. | Method | Path | -| :----- | :--------- | +|:-------|:-----------| | `LIST` | `/pki/eab` | #### Sample request @@ -228,7 +232,7 @@ $ curl \ This endpoint allows the deletion of an unused ACME binding token. | Method | Path | -| :------- | :----------------- | +|:---------|:-------------------| | `DELETE` | `/pki/eab/:key_id` | #### Parameters @@ -251,7 +255,7 @@ This endpoint allows reading of the current ACME server configuration used by this mount. | Method | Path | -| :----- | :----------------- | +|:-------|:-------------------| | `GET` | `/pki/config/acme` | #### Sample request @@ -288,7 +292,7 @@ This endpoint allows setting the ACME server configuration used by this mount. | Method | Path | -| :----- | :----------------- | +|:-------|:-------------------| | `POST` | `/pki/config/acme` | #### Parameters @@ -533,8 +537,8 @@ point of view. Note that the `cacerts` endpoint is unauthenticated. This endpoint fetches the current EST configuration. -| Method | Path | -| :----- |:-----------------| +| Method | Path | +|:-------|:------------------| | `GET` | `/pki/config/est` | #### Sample request @@ -687,7 +691,7 @@ point of view. This endpoint fetches the current CMPv2 configuration. | Method | Path | -| :----- |:------------------| +|:-------|:------------------| | `GET` | `/pki/config/cmp` | #### Sample request @@ -710,7 +714,7 @@ $ curl \ "cert": { "accessor": "auth_cert_7fe0c1cc", "cert_role": "cmp-ca" - }, + } }, "enable_sentinel_parsing": true, "enabled": true, @@ -795,7 +799,8 @@ $ curl \ "cert": { "accessor": "auth_cert_0f1df449", "cert_role": "cert1" - }, + } + }, "default_path_policy": "sign-verbatim", "disabled_validations": ["DisableMatchingKeyIdValidation"], "enabled": true, @@ -804,3 +809,202 @@ $ curl \ } } ``` + +## SCEP certificate issuance + +Vault Enterprise supports +[SCEP (Simple Certificate Enrollment Protocol)](https://datatracker.ietf.org/doc/html/rfc8894) +when issuing leaf certificates. + +For a comprehensive overview of SCEP and how to configure it, +refer to the [SCEP documentation](/vault/docs/secrets/pki/scep). + +### SCEP protocol paths + +Vault authentication supports the following SCEP protocol paths: + +| Path | Default Path Policy | Issuer | Role | +|:------------------------|:--------------------|:----------------------|:--------------| +| `/pki/scep` | `sign-verbatim` | `default` | Sign-Verbatim | +| `/pki/scep` | `role:role_ref` | Specified by the role | `:role_ref` | +| `/pki/roles/:role/scep` | (any) | Specified by the role | `:role` | + +### Read SCEP configuration + +Fetch the current SCEP configured for PKI. + +| Method | Path | +|:-------|:-------------------| +| `GET` | `/pki/config/scep` | + +#### Sample request + +```shell-session +$ curl \ + --header "X-Vault-Token: ..." \ + http://127.0.0.1:8200/v1/pki/config/scep +``` + +#### Sample response + +```json +{ + "data": { + "allowed_digest_algorithms": [ + "sha-256", + "sha-384", + "sha-512" + ], + "allowed_encryption_algorithms": [ + "aes128-cbc", + "aes128-gcm", + "aes256-cbc", + "aes256-gcm" + ], + "authenticators": { + "cert": { + "accessor": "auth_cert_598b1030", + "cert_role": "scep-ca" + }, + "scep": { + "accessor": "auth_scep_797d8401", + "scep_role": "" + } + }, + "default_path_policy": "sign-verbatim", + "enabled": true, + "external_validation": {}, + "last_updated": "2025-05-26T09:59:24-04:00", + "restrict_ca_chain_to_issuer": true + } +} +``` + +### Set SCEP configuration + +Update SCEP related configuration for your PKI plugin. On success, Vault updates +the `last_updated` field and returns the new configuration values. +For a comprehensive overview of SCEP and how to configure it, +refer to the [SCEP documentation](/vault/docs/secrets/pki/scep). + +| Method | Path | +|:-------|:-------------------| +| `POST` | `/pki/config/scep` | + +#### Parameters + +- `enabled` `(bool: false)` - Specifies whether SCEP is enabled or not. + +- `default_path_policy` `(string: "")` - Specifies the behavior for + non-role-qualified SCEP requests. Must be a role given by `role:` + or `sign-verbatim`. + +- `authenticators` `(map[string]map[string]string: "")` - Specifies the mount + accessors to which SCEP should delegate authentication requests. Map keys can + be any of the following: + + - `scep` - Associated value is a map containing configuration details for + SCEP authentication. Associated subkeys: + - `accessor` (required) - mount path for the authentication plugin. + - `scep_role` (optional) - the + [`name`](/vault/api-docs/auth/scep#name) parameter passed during SCEP + authentication attempts. + + - `cert` - Associated value is a map containing configuration details for + certificate based authentication. Associated subkeys: + - `accessor` (required) - mount path for the authentication plugin. + - `cert_role` (optional) - the + [`name`](/vault/api-docs/auth/cert#name-6) parameter passed during + certificate authentication attempts. + +- `allowed_encryption_algorithms` `([]string)` - the list of allowed encryption + algorithms for SCEP requests. Can be any of: + - `des-cbc` - DES encryption in CBC mode + - `3des-cbc` - 3DES encryption in CBC mode + - `aes128-cbc` - AES-128 encryption in CBC mode + - `aes256-cbc` - AES-256 encryption in CBC mode + - `aes128-gcm` - AES-128 encryption in GCM mode + - `aes256-gcm` - AES-256 encryption in GCM mode + +- `allowed_digest_algorithms` `([]string)` - the list of allowed digest algorithms for SCEP requests. May be any of: `sha-1`, `sha-256`, `sha-384`, `sha-512` + +- `restrict_ca_chain_to_issuer` `(bool: false)` - whether to return the full CA + chain within GetCACert responses. Set `restrict_ca_chain_to_issuer` to `true` + to make your PKI configuration compatible with Microsoft Intune. + +- `external_validation` `(map[string]map[string]string: "")` - a map specifying + configuration for 3rd party validation of SCEP requests. Map keys can + be any of the following: + - `intune` - Associated value is a map containing configuration details to + validate authentication requests with Microsoft Intune. Associated + subkeys: + + - `tenant_id` `(string: )` - Tenant ID for the Azure Active + Directory organization. Overrides the `AZURE_TENANT_ID` environment + variable. + - `client_id` `(string: )` - Client ID for credentials + used to invoke Azure APIs. Overrides the `AZURE_CLIENT_ID` environment + variable. + - `client_secret` `(string: )` - Client secret for + credentials to invoke Azure APIs.. Overrides the `AZURE_CLIENT_SECRET` + environment variable. + - `environment` `(string: "AzurePublicCloud")` - Azure Cloud environment + API endpoints to use for validation. Overrides the `AZURE_ENVIRONMENT` + environment variable. + + All `intune` parameter values can use + [indirect value reference](/vault/docs/configuration/seal#indirect-value-references). + +#### Sample Payload + +```json +{ + "enabled": true, + "default_path_policy": "role:scep-clients", + "authenticators": { + "scep": { + "accessor": "auth_scep_797d8401" + }, + "cert": { + "accessor": "auth_cert_598b1030", + "cert_role": "scep-ca" + } + } +} +``` + + +#### Sample response + +```json +{ + "data": { + "allowed_digest_algorithms": [ + "sha-256", + "sha-384", + "sha-512" + ], + "allowed_encryption_algorithms": [ + "aes128-cbc", + "aes128-gcm", + "aes256-cbc", + "aes256-gcm" + ], + "authenticators": { + "cert": { + "accessor": "auth_cert_598b1030", + "cert_role": "scep-ca" + }, + "scep": { + "accessor": "auth_scep_797d8401", + "scep_role": "" + } + }, + "default_path_policy": "role:scep-clients", + "enabled": true, + "external_validation": {}, + "last_updated": "2025-05-26T09:59:24-04:00", + "restrict_ca_chain_to_issuer": false + } +} +``` diff --git a/website/content/docs/auth/scep.mdx b/website/content/docs/auth/scep.mdx new file mode 100644 index 000000000000..9d51dc7d2eb4 --- /dev/null +++ b/website/content/docs/auth/scep.mdx @@ -0,0 +1,48 @@ +--- +layout: docs +page_title: SCEP - Auth Methods +description: The SCEP auth method is used to authenticate clients using the PKI SCEP integration, it isn't useful by itself. +--- + +# SCEP auth method + + +@include 'alerts/enterprise-only.mdx' + +The SCEP authentication method controls static challenges and Intune +authentication methods for clients using the SCEP protocol within given PKI +mounts. + +## Authentication + +Do not use the SCEP plugin directly. SCEP mount paths only support +[delegated authentication](/vault/api-docs/system/mounts#delegated_auth_accessors) +from a PKI mount. + +Multiple PKI mounts can use the same SCEP authN mount. If you configure a PKI +mount without an associated SCEP role, Vault returns the first matching SCEP +role that meets the other request criteria. + +PKI mounts configured for Intune only match SCEP auth roles with `intune` set as +the authentication type. All other PKI mounts can match to SCEP auth roles with +`static-challenge` set as the authentication type. + +## Configuration + +Configure the SCEP authentication method through roles. Within each SCEP role, +specify the authentiation type with `auth_type` to indicate whether your SCEP +mount uses static challenge authentication or Intune authentication. + +`auth_type` | Authentication +------------------ | -------------- +`static-challenge` | Method specified in `challenge` parameter +`intune` | Intune authentication + +When the authentication methods repeast across multiple roles, You must +configure your PKI mounts with the prefered SCEP role name to match with the +appropriate role. If you leave the role name unset, the SCEP mount returns the +first matching role, which might not have the correct policy attached to it. + +## API + +The SCEP auth method has a full HTTP API. Refer to the [SCEP auth API documentation](/vault/api-docs/auth/scep) for more details. diff --git a/website/content/docs/secrets/pki/index.mdx b/website/content/docs/secrets/pki/index.mdx index 251976fe9978..c015833d0a72 100644 --- a/website/content/docs/secrets/pki/index.mdx +++ b/website/content/docs/secrets/pki/index.mdx @@ -56,12 +56,15 @@ The PKI Secrets Engine documentation is split into the following pieces: protocol (request and response structure), along with an overview of the difference between it and `/pki/sign-verbatim`. - Issuance Protocols: Using standard certificate management protocols with Vault PKI. - - [EST ](/vault/docs/secrets/pki/est) - + - [EST ](/vault/docs/secrets/pki/est) - Explains Vault's implementation of the EST protocol, from configuration to limitations. - [CMPv2 ](/vault/docs/secrets/pki/cmpv2) - Explains Vault's implementation of the CMPv2 protocol, from configuration to limitations. + - [SCEP ](/vault/docs/secrets/pki/scep) - + Explains Vault's implementation of the SCEP protocol, from configuration + to limitations. - [Troubleshooting ACME](/vault/docs/secrets/pki/troubleshooting-acme) - A list of advice for troubleshooting failures with ACME issuance and Vault PKI. diff --git a/website/content/docs/secrets/pki/scep.mdx b/website/content/docs/secrets/pki/scep.mdx new file mode 100644 index 000000000000..d24af496e47c --- /dev/null +++ b/website/content/docs/secrets/pki/scep.mdx @@ -0,0 +1,224 @@ +--- +layout: docs +page_title: Simple Certificate Enrollment Protocol (SCEP) +description: >- + Configure the PKI plugin to work with Simple Certificate Enrollment Protocol (SCEP). +--- + +# Configure a Simple Certificate Enrollment Protocol (SCEP) + +@include 'alerts/enterprise-only.mdx' + +SCEP is an IETF standardized protocol ([RFC 8894](https://datatracker.ietf.org/doc/html/rfc8894)) +that allows clients to acquire client certificates and associated +Certificate Authority (CA) certificates. You can configure the PKI plugin to +use [SCEP](https://datatracker.ietf.org/doc/html/rfc8894) authentication. + +## Before you start + +- **You must have Vault Enterprise 1.20 or later**. +- **You must use the `static-challenge` authentication type to work with JAMF Pro.** +- **To use multiple authentication methods, you must have separate PKI mounts**. + The SCEP implementation only allows one type of challenge authentication for + a given PKI mount. If you require multiple authentication methods, you must + create separate PKI mounts, that point to either a shared SCEP auth mount or + separate SCEP auth mounts. + +## Step 1: Determine your authentication methods + +The Vault SCEP implementation supports a few different authentication mechanisms in +two categories. + + * Challenge Based authentication + - [Intune authentication](/vault/docs/auth/scep) + - [Static challenge authentication](/vault/docs/auth/scep) + * [Certificate Authentication](/vault/docs/auth/cert) + +For SCEP challenge based authentication, one of either static challenge or Intune mechanisms +can be used to authenticate clients within a given PKI mount. This is controlled +by configuring Intune within the PKI mount's SCEP configuration, otherwise we fallback +to using static challenges. + +Certificate authentication can optionally be used for requests without a challenge value. +This is useful for clients that are renewing their certificate without +requiring the original challenge value. + +The static challenge and Intune authentication mechanisms use a dedicated SCEP +authentication mount within the same namespace, while the certificate authentication +mechanism uses a configured certificate authentication mount. Both of these mounts +are used to validate the client provided credentials along with the client's ACL policy. + +For proper accounting, mounts supporting SCEP authentication should be +dedicated to this purpose, and should not be shared with other workflows. In other words, +create a new auth mount for SCEP even if you already have one of the same +type for other purposes. + +When setting up the authentication mount for SCEP clients, the token type must +be configured to return [batch tokens](/vault/docs/concepts/tokens#batch-tokens). +Batch tokens are required to avoid an excessive amount of leases being generated +and persisted as every SCEP incoming request needs to be authenticated. + +If using the `sign-verbatim` or `role:my-role-name` as a path policy, the following +ACL policy will allow an authenticated client access the required PKI SCEP paths. +```hcl +path “pki/scep” { + capabilities=[“read“, “update”, “create”] +} +path “pki/scep/pkiclient.exe” { + capabilities=[“read“, “update”, “create”] +} +``` + +For a role base path policy, this sample policy can be used +```hcl +path “pki/roles/my-role-name/scep” { + capabilities=[“read“, “update”, “create”] +} +path “pki/roles/my-role-name/scep/pkiclient.exe” { + capabilities=[“read“, “update”, “create”] +} +``` + +##### Sample SCEP authentication mounts + +```shell-session +$ vault auth enable scep +$ vault write auth/scep/role/static-challenge-1 \ + auth_type="static-challenge" \ + challenge=${SCEP_PASS} \ + token_policies="access-scep" \ + token_type="batch" +``` + +```shell-session +$ vault auth enable cert +$ vault write auth/cert/certs/scep-ca \ + display_name="SCEP Client CA" \ + token_policies="access-scep" \ + certificate="${CERTIFICATE}" \ + token_type="batch" \ + allowed_common_names="${HOSTNAME}" +``` + +```shell-session +$ vault write auth/scep/role/intune \ + auth_type="intune" \ + token_policies="access-scep" \ + token_type="batch" +``` + +## Step 2: Tune your PKI mount parameters + +Once the authentication mount has been created and configured, the authentication mount's accessor +will need to be captured and added within the PKI mount's [delegated auth accessors](/vault/api-docs/system/mounts#delegated_auth_accessors). + +To get an authentication mount's accessor field, the following command can be used. + +```shell-session +$ vault read -field=accessor sys/auth/scep +$ vault read -field=accessor sys/auth/cert +``` + +These field accessors are then added to the mount's delegated auth accessors. + +```shell-session +$ vault secrets tune \ + -delegated-auth-accessors="auth_scep_e2f4f6d5" \ + -delegated-auth-accessors="auth_cert_4088ac2d" \ + pki +``` + +## Step 3: Configure your SCEP authentication mount + + + + + + +The following example uses two different authentication methods: certificates +and a static secret SCEP authentication. + +The `default_path_policy` uses the existing `scep-clients` PKI role for +restrictions and defaults, leveraging the issuer specified within the role. + +```shell-session +vault write pki_int/config/scep -< + + + +The following example uses SCEP with Intune authentication. Note that the +SCEP auth mount must have a role configured with `auth_type` set to `intune`. +You can choose to set your Intune authentication credentials explicilty in the +configuraiton, as environment variables, or leverage Azure managed identities. + +All the `intune` specific fields within the `external_validation` block also +accept [indirect value references](/vault/docs/configuration/seal#indirect-value-references). + +```shell-session +vault write pki_int/config/scep -< + +During internal testing, we noticed Intune clients fail to match the CA +certificate when the GetCACerts request returned a full certificate chain +instead of the issuer CA certificate by itself. + +If you experience issues with GetCACerts requests, you can set the +`restrict_ca_chain_to_issuer` field in your PKI mount SCEP configuration to +`true`. Restricting the CA chain forces SCEP to only return the issuer CA +certificate. + + + + + + + + + + +## Resources + +- [PKI secrets engine API](/vault/api-docs/secret/pki) documentation. diff --git a/website/data/api-docs-nav-data.json b/website/data/api-docs-nav-data.json index 1a469d5fca37..382a09d5a59f 100644 --- a/website/data/api-docs-nav-data.json +++ b/website/data/api-docs-nav-data.json @@ -369,6 +369,15 @@ "color": "neutral" } }, + { + "title": "SCEP", + "path": "auth/scep", + "badge": { + "text": "ENTERPRISE", + "type": "outlined", + "color": "neutral" + } + }, { "title": "TLS Certificates", "path": "auth/cert" diff --git a/website/data/docs-nav-data.json b/website/data/docs-nav-data.json index e94d6229bebb..e5c25a354983 100644 --- a/website/data/docs-nav-data.json +++ b/website/data/docs-nav-data.json @@ -279,7 +279,7 @@ ] }, - + { "divider": true }, { "heading": "OPERATIONS" }, @@ -358,7 +358,7 @@ } ] }, - + { "title": "Configure Vault", "routes": [ @@ -398,10 +398,10 @@ "color": "neutral" }, "path": "configuration/entropy-augmentation" - }, - + }, + { "heading": "Configuration stanzas" }, - + { "title": "adaptive_overload_protection", "badge": { @@ -2206,6 +2206,15 @@ }, "path": "secrets/pki/cmpv2" }, + { + "title": "Simple Certificate Enrollment Protocol (SCEP)", + "badge": { + "text": "ENT", + "type": "filled", + "color": "neutral" + }, + "path": "secrets/pki/scep" + }, { "title": "Troubleshooting ACME", "path": "secrets/pki/troubleshooting-acme" @@ -2530,6 +2539,15 @@ } ] }, + { + "title": "SCEP", + "path": "auth/scep", + "badge": { + "text": "ENT", + "type": "filled", + "color": "neutral" + } + }, { "title": "TLS Certificates", "path": "auth/cert"