mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 17:12:04 +00:00
docs(scep): close G-3 docs-only drift in legacy-est-scep.md
Two G-3 regression hits from the SCEP RFC 8894 docs that landed in
commit b33b843's docs/legacy-est-scep.md addition:
1. CERTCTL_SCEP_PROFILE_CORP_* (5 vars) — the multi-profile dispatch
recipe used literal CORP placeholders in the example block, which
the G-3 scanner treats as phantom env vars (the loader expands
<NAME> at runtime; CORP is never a literal env-var key in Go
source). Replaced the literal example with a prose description
that uses the <NAME> token explicitly + cross-references
docs/features.md where the per-profile suffix table lives. The
G-3 scanner sees only CERTCTL_SCEP_PROFILES + the prefix
CERTCTL_SCEP_ (already on the ALLOWED list per commit 5c7c125),
matching the convention used elsewhere in the SCEP env-var docs.
2. CERTCTL_TLS_CERT_PATH — incorrect env var name in the RA-cert
rotation paragraph. The actual config field is
CERTCTL_SERVER_TLS_CERT_PATH (per internal/config/config.go:1130).
Fixed the reference. The CERTCTL_TLS_ prefix is already allowlisted
(covers e.g. CERTCTL_TLS_INSECURE_SKIP_VERIFY), but the literal
suffix _CERT_PATH was a typo that bypassed the prefix match.
Verification: local G-3 set difference (Go-defined ∖ docs-mentioned)
empty in BOTH directions after the fix.
Restores green CI on the env-var docs drift guard for the SCEP
plumbing PR.
This commit is contained in:
shankar0123
+10
-12
@@ -294,17 +294,15 @@ behavior change.
|
||||
|
||||
Real enterprise deploys run multiple SCEP endpoints from one certctl
|
||||
instance — corp-laptop CA, IoT CA, server CA — each with its own
|
||||
issuer + RA pair + challenge password. Configure via:
|
||||
|
||||
```
|
||||
CERTCTL_SCEP_PROFILES=corp,iot,server
|
||||
CERTCTL_SCEP_PROFILE_CORP_ISSUER_ID=iss-corp-laptop
|
||||
CERTCTL_SCEP_PROFILE_CORP_PROFILE_ID=prof-corp-tls
|
||||
CERTCTL_SCEP_PROFILE_CORP_CHALLENGE_PASSWORD=...
|
||||
CERTCTL_SCEP_PROFILE_CORP_RA_CERT_PATH=/etc/certctl/scep/corp-ra.crt
|
||||
CERTCTL_SCEP_PROFILE_CORP_RA_KEY_PATH=/etc/certctl/scep/corp-ra.key
|
||||
# ... per profile name in CERTCTL_SCEP_PROFILES
|
||||
```
|
||||
issuer + RA pair + challenge password. Configure via the indexed env-var
|
||||
form documented in [`features.md`](features.md): set
|
||||
`CERTCTL_SCEP_PROFILES=corp,iot,server` (a comma-separated list of
|
||||
profile names), then for each name supply the per-profile env-vars
|
||||
prefixed with `CERTCTL_SCEP_PROFILE_<NAME>_` followed by the suffix
|
||||
keys `_ISSUER_ID`, `_PROFILE_ID`, `_CHALLENGE_PASSWORD`, `_RA_CERT_PATH`,
|
||||
`_RA_KEY_PATH`. The `<NAME>` token resolves to the upper-cased profile
|
||||
name from the list. Each profile is independently validated at startup;
|
||||
per-profile failures log the offending PathID.
|
||||
|
||||
The router exposes `/scep/corp`, `/scep/iot`, `/scep/server`. The legacy
|
||||
`/scep` root remains for the single-profile flat-env-var case (when
|
||||
@@ -324,7 +322,7 @@ PKIOperation.
|
||||
|
||||
The RA cert is loaded once at startup and persisted in the handler's
|
||||
struct field; rotation requires a server restart (mirrors the
|
||||
`CERTCTL_TLS_CERT_PATH` precedent in `cmd/server/tls.go`). The
|
||||
`CERTCTL_SERVER_TLS_CERT_PATH` precedent in `cmd/server/tls.go`). The
|
||||
recommended cadence is annual rotation with a 30-day overlap during
|
||||
which both old + new RA certs are listed in `GetCACert`'s response (set
|
||||
the cert chain accordingly in your sub-CA hierarchy).
|
||||
|
||||
Reference in New Issue
Block a user