You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
I need to have a HTTP listener for PKI info endpoints (e.g. CRLs & OCSP). Notably, it seems Microsoft clients (Crypto API) don't support fetching these over HTTPS [1].
To avoid serving the entire Vault API over HTTP, I have to explicitly allow-list every path that contains a non-sensitive endpoint, this is tedious when creating many PKI authorities.
Describe the solution you'd like
I'd like to be able to configure a listener on the Vault server, that only serves non-sensitive endpoints. I think anything that is available unauthenticated would be a good default.
Additional context
We have several clusters that use mTLS for internal communication. The software does not support filtering by certificate attributes, so each cluster needs a separate CA/backend. This makes it tedious to allow-list all of them individually.
The text was updated successfully, but these errors were encountered:
Is your feature request related to a problem? Please describe.
I need to have a HTTP listener for PKI info endpoints (e.g. CRLs & OCSP). Notably, it seems Microsoft clients (Crypto API) don't support fetching these over HTTPS [1].
To avoid serving the entire Vault API over HTTP, I have to explicitly allow-list every path that contains a non-sensitive endpoint, this is tedious when creating many PKI authorities.
Describe the solution you'd like
I'd like to be able to configure a listener on the Vault server, that only serves non-sensitive endpoints. I think anything that is available unauthenticated would be a good default.
Additional context
We have several clusters that use mTLS for internal communication. The software does not support filtering by certificate attributes, so each cluster needs a separate CA/backend. This makes it tedious to allow-list all of them individually.
The text was updated successfully, but these errors were encountered: