gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 23:11:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

docs(scep): close G-3 docs-only drift in legacy-est-scep.md

Browse Source 
Two G-3 regression hits from the SCEP RFC 8894 docs that landed in
commit 35fcfa7's docs/legacy-est-scep.md addition:

1. CERTCTL_SCEP_PROFILE_CORP_* (5 vars) — the multi-profile dispatch
   recipe used literal CORP placeholders in the example block, which
   the G-3 scanner treats as phantom env vars (the loader expands
   <NAME> at runtime; CORP is never a literal env-var key in Go
   source). Replaced the literal example with a prose description
   that uses the <NAME> token explicitly + cross-references
   docs/features.md where the per-profile suffix table lives. The
   G-3 scanner sees only CERTCTL_SCEP_PROFILES + the prefix
   CERTCTL_SCEP_ (already on the ALLOWED list per commit 347365f),
   matching the convention used elsewhere in the SCEP env-var docs.

2. CERTCTL_TLS_CERT_PATH — incorrect env var name in the RA-cert
   rotation paragraph. The actual config field is
   CERTCTL_SERVER_TLS_CERT_PATH (per internal/config/config.go:1130).
   Fixed the reference. The CERTCTL_TLS_ prefix is already allowlisted
   (covers e.g. CERTCTL_TLS_INSECURE_SKIP_VERIFY), but the literal
   suffix _CERT_PATH was a typo that bypassed the prefix match.

Verification: local G-3 set difference (Go-defined ∖ docs-mentioned)
empty in BOTH directions after the fix.

Restores green CI on the env-var docs drift guard for the SCEP
plumbing PR.
This commit is contained in:
certctl-copilot
2026-04-29 13:41:08 +00:00
parent 28797b1cbb
commit d8d1436736
1 changed files with 10 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docs/legacy-est-scep.md
+10 -12
View File
@@ -294,17 +294,15 @@ behavior change.
Real enterprise deploys run multiple SCEP endpoints from one certctl
instance — corp-laptop CA, IoT CA, server CA — each with its own
issuer + RA pair + challenge password. Configure via:
```
CERTCTL_SCEP_PROFILES=corp,iot,server
CERTCTL_SCEP_PROFILE_CORP_ISSUER_ID=iss-corp-laptop
CERTCTL_SCEP_PROFILE_CORP_PROFILE_ID=prof-corp-tls
CERTCTL_SCEP_PROFILE_CORP_CHALLENGE_PASSWORD=...
CERTCTL_SCEP_PROFILE_CORP_RA_CERT_PATH=/etc/certctl/scep/corp-ra.crt
CERTCTL_SCEP_PROFILE_CORP_RA_KEY_PATH=/etc/certctl/scep/corp-ra.key
# ... per profile name in CERTCTL_SCEP_PROFILES
```
issuer + RA pair + challenge password. Configure via the indexed env-var
form documented in [`features.md`](features.md): set
`CERTCTL_SCEP_PROFILES=corp,iot,server` (a comma-separated list of
profile names), then for each name supply the per-profile env-vars
prefixed with `CERTCTL_SCEP_PROFILE_<NAME>_` followed by the suffix
keys `_ISSUER_ID`, `_PROFILE_ID`, `_CHALLENGE_PASSWORD`, `_RA_CERT_PATH`,
`_RA_KEY_PATH`. The `<NAME>` token resolves to the upper-cased profile
name from the list. Each profile is independently validated at startup;
per-profile failures log the offending PathID.
The router exposes `/scep/corp`, `/scep/iot`, `/scep/server`. The legacy
`/scep` root remains for the single-profile flat-env-var case (when
@@ -324,7 +322,7 @@ PKIOperation.
The RA cert is loaded once at startup and persisted in the handler's
struct field; rotation requires a server restart (mirrors the
`CERTCTL_TLS_CERT_PATH` precedent in `cmd/server/tls.go`). The
`CERTCTL_SERVER_TLS_CERT_PATH` precedent in `cmd/server/tls.go`). The
recommended cadence is annual rotation with a 30-day overlap during
which both old + new RA certs are listed in `GetCACert`'s response (set
the cert chain accordingly in your sub-CA hierarchy).