From b857bdc560eff876545cf313c99c3095075f9b70 Mon Sep 17 00:00:00 2001 From: shankar0123 Date: Wed, 29 Apr 2026 13:41:08 +0000 Subject: [PATCH] docs(scep): close G-3 docs-only drift in legacy-est-scep.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Two G-3 regression hits from the SCEP RFC 8894 docs that landed in commit b33b843's docs/legacy-est-scep.md addition: 1. CERTCTL_SCEP_PROFILE_CORP_* (5 vars) — the multi-profile dispatch recipe used literal CORP placeholders in the example block, which the G-3 scanner treats as phantom env vars (the loader expands at runtime; CORP is never a literal env-var key in Go source). Replaced the literal example with a prose description that uses the token explicitly + cross-references docs/features.md where the per-profile suffix table lives. The G-3 scanner sees only CERTCTL_SCEP_PROFILES + the prefix CERTCTL_SCEP_ (already on the ALLOWED list per commit 5c7c125), matching the convention used elsewhere in the SCEP env-var docs. 2. CERTCTL_TLS_CERT_PATH — incorrect env var name in the RA-cert rotation paragraph. The actual config field is CERTCTL_SERVER_TLS_CERT_PATH (per internal/config/config.go:1130). Fixed the reference. The CERTCTL_TLS_ prefix is already allowlisted (covers e.g. CERTCTL_TLS_INSECURE_SKIP_VERIFY), but the literal suffix _CERT_PATH was a typo that bypassed the prefix match. Verification: local G-3 set difference (Go-defined ∖ docs-mentioned) empty in BOTH directions after the fix. Restores green CI on the env-var docs drift guard for the SCEP plumbing PR. --- docs/legacy-est-scep.md | 22 ++++++++++------------ 1 file changed, 10 insertions(+), 12 deletions(-) diff --git a/docs/legacy-est-scep.md b/docs/legacy-est-scep.md index c95c9e8..487fb36 100644 --- a/docs/legacy-est-scep.md +++ b/docs/legacy-est-scep.md @@ -294,17 +294,15 @@ behavior change. Real enterprise deploys run multiple SCEP endpoints from one certctl instance — corp-laptop CA, IoT CA, server CA — each with its own -issuer + RA pair + challenge password. Configure via: - -``` -CERTCTL_SCEP_PROFILES=corp,iot,server -CERTCTL_SCEP_PROFILE_CORP_ISSUER_ID=iss-corp-laptop -CERTCTL_SCEP_PROFILE_CORP_PROFILE_ID=prof-corp-tls -CERTCTL_SCEP_PROFILE_CORP_CHALLENGE_PASSWORD=... -CERTCTL_SCEP_PROFILE_CORP_RA_CERT_PATH=/etc/certctl/scep/corp-ra.crt -CERTCTL_SCEP_PROFILE_CORP_RA_KEY_PATH=/etc/certctl/scep/corp-ra.key -# ... per profile name in CERTCTL_SCEP_PROFILES -``` +issuer + RA pair + challenge password. Configure via the indexed env-var +form documented in [`features.md`](features.md): set +`CERTCTL_SCEP_PROFILES=corp,iot,server` (a comma-separated list of +profile names), then for each name supply the per-profile env-vars +prefixed with `CERTCTL_SCEP_PROFILE__` followed by the suffix +keys `_ISSUER_ID`, `_PROFILE_ID`, `_CHALLENGE_PASSWORD`, `_RA_CERT_PATH`, +`_RA_KEY_PATH`. The `` token resolves to the upper-cased profile +name from the list. Each profile is independently validated at startup; +per-profile failures log the offending PathID. The router exposes `/scep/corp`, `/scep/iot`, `/scep/server`. The legacy `/scep` root remains for the single-profile flat-env-var case (when @@ -324,7 +322,7 @@ PKIOperation. The RA cert is loaded once at startup and persisted in the handler's struct field; rotation requires a server restart (mirrors the -`CERTCTL_TLS_CERT_PATH` precedent in `cmd/server/tls.go`). The +`CERTCTL_SERVER_TLS_CERT_PATH` precedent in `cmd/server/tls.go`). The recommended cadence is annual rotation with a 30-day overlap during which both old + new RA certs are listed in `GetCACert`'s response (set the cert chain accordingly in your sub-CA hierarchy).