PKI SCEP documentation updates

website/content/api-docs/auth/scep.mdx

@@ -0,0 +1,211 @@
+---
+layout: api
+page_title: SCEP - Auth Methods - HTTP API
+description: |-
+  This is the API documentation for the Vault SCEP authentication
+  method.
+---
+
+# SCEP auth method (API)
+
+This is the API documentation for the Vault SCEP authentication
+method. For general information about the usage and operation of the
+SCEP method, please see the [Vault SCEP method documentation](/vault/docs/auth/scep).
+
+This documentation assumes the SCEP method is mounted at the
+`/auth/scep` path in Vault. Since it is possible to enable auth methods at any
+location, please update your API calls accordingly.
+
+## Create SCEP role
+
+Creates or updates a named SCEP role.
+
+| Method | Path                    |
+|:-------|:------------------------|
+| `POST` | `/auth/scep/role/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` - The name of the SCEP role.
+- `display_name` `(string: "")` - The `display_name` to set on tokens issued
+  when authenticating against this role. If not set, defaults to the
+  name of the role.
+- `auth_type` `(string: <required>)` - The authentication type to use for this role.
+  Valid values are `static-challenge` and `intune`.
+- `challenge` `(string: "")` - The challenge to use for this role. This is only
+  used when `auth_type` is set to `static-challenge`. If not set, defaults to
+  the empty string.
+
+@include 'tokenfields.mdx'
+
+### Sample payload
+
+```json
+{
+  "auth_type": "static-challenge",
+  "challenge": "super-secret-challenge",
+  "display_name": "test",
+  "token_policies": ["access-scep"],
+  "token_type": "batch"
+}
+```
+
+### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json
+    http://127.0.0.1:8200/v1/auth/scep/role/static-challenge-1
+```
+
+### Sample response
+
+```json
+{
+  "request_id": "c22d68ec-ac3d-ea24-d5d0-efe07dcc0ef6",
+  "lease_id": "",
+  "renewable": false,
+  "lease_duration": 0,
+  "data": {
+    "auth_type": "static-challenge",
+    "display_name": "test",
+    "name": "static-challenge-1",
+    "token_bound_cidrs": [],
+    "token_explicit_max_ttl": 0,
+    "token_max_ttl": 0,
+    "token_no_default_policy": false,
+    "token_num_uses": 0,
+    "token_period": 0,
+    "token_policies": [
+      "access-scep"
+    ],
+    "token_ttl": 0,
+    "token_type": "batch"
+  },
+  "wrap_info": null,
+  "warnings": null,
+  "auth": null,
+  "mount_type": "scep"
+}
+```
+
+## Read SCEP role
+
+Gets information associated with the named role.
+
+| Method | Path                    |
+|:-------|:------------------------|
+| `GET`  | `/auth/scep/role/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` - The name of the SCEP role.
+
+### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/auth/scep/role/static-challenge-1
+```
+
+### Sample response
+
+```json
+{
+  "request_id": "07c9bfcc-ee30-6ba9-fce8-07bae5033989",
+  "lease_id": "",
+  "renewable": false,
+  "lease_duration": 0,
+  "data": {
+    "auth_type": "static-challenge",
+    "display_name": "static-challenge-1",
+    "name": "static-challenge-1",
+    "token_bound_cidrs": [],
+    "token_explicit_max_ttl": 0,
+    "token_max_ttl": 0,
+    "token_no_default_policy": false,
+    "token_num_uses": 0,
+    "token_period": 0,
+    "token_policies": [
+      "access-scep"
+    ],
+    "token_ttl": 0,
+    "token_type": "batch"
+  },
+  "wrap_info": null,
+  "warnings": null,
+  "auth": null,
+  "mount_type": "scep"
+}
+```
+
+## List SCEP roles
+
+Lists configured SCEP role names.
+
+| Method | Path               |
+| :----- | :----------------- |
+| `LIST` | `/auth/scep/role` |
+
+### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request LIST \
+    http://127.0.0.1:8200/v1/auth/scep/role
+```
+
+### Sample response
+
+```json
+{
+  "auth": null,
+  "warnings": null,
+  "wrap_info": null,
+  "data": {
+    "keys": ["static-challenge-1", "intune-1"]
+  },
+  "lease_duration": 0,
+  "renewable": false,
+  "lease_id": ""
+}
+```
+
+## Delete SCEP role
+
+Deletes the named role.
+
+| Method   | Path                    |
+|:---------|:------------------------|
+| `DELETE` | `/auth/scep/role/:name` |
+
+### Parameters
+
+- `name` `(string: <required>)` - The name of the SCEP role.
+
+### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request DELETE \
+    http://127.0.0.1:8200/v1/auth/scep/role/static-challenge-1
+```
+
+## Login
+
+This endpoint is used to authenticate against the SCEP auth method, but shouldn't be used directly,
+but only through delegated authentication from a PKI mount.
+
+| Method | Path               |
+|:-------|:-------------------|
+| `POST` | `/auth/scep/login` |
+
+### Parameters
+
+- `name` `(string: "")` - Authenticate against only the named SCEP role.
+  If not set, defaults to trying all SCEP roles and returning any one that matches.

website/content/api-docs/secret/pki/index.mdx

@@ -90,6 +90,7 @@ update your API calls accordingly.
   - [ACME - Automatic Certificate Management Environment](/vault/api-docs/secret/pki/issuance#acme-certificate-issuance)
   - [EST - Enrollment over Secure Transport <EnterpriseAlert inline="true"/>](/vault/api-docs/secret/pki/issuance#est-certificate-issuance)
   - [CMPv2 - Certificate Management Protocol (v2) <EnterpriseAlert inline="true"/>](/vault/api-docs/secret/pki/issuance#cmpv2-certificate-issuance)
+  - [SCEP - Simple Certificate Enrollment Protocol <EnterpriseAlert inline="true"/>](/vault/api-docs/secret/pki/issuance#scep-certificate-issuance)
 - [Cluster Scalability](#cluster-scalability)
 - [Managed Key](#managed-keys) (Enterprise Only)
 - [Vault CLI with DER/PEM responses](#vault-cli-with-der-pem-responses)