Clarify behavior of role's ExtKeyUsage

Resolves: #217 Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com>
openbao · Mar 19, 2024 · 39b456e · 39b456e
1 parent ddec2b4
commit 39b456e
Showing 1 changed file with 13 additions and 4 deletions.
diff --git a/website/content/api-docs/secret/pki.mdx b/website/content/api-docs/secret/pki.mdx
@@ -3172,10 +3172,19 @@ listing roles.
 This endpoint creates or updates the role definition. Note that the
 `allowed_domains`, `allow_subdomains`, `allow_glob_domains`, and
 `allow_any_name` attributes are additive; between them nearly and across
-multiple roles nearly any issuing policy can be accommodated. `server_flag`,
-`client_flag`, and `code_signing_flag` are additive as well. If a client
-requests a certificate that is not allowed by the CN policy in the role, the
-request is denied.
+multiple roles nearly any issuing policy can be accommodated.
+
+Handling of `ExtKeyUsage` on the issued leaf is complex: if any of
+`server_flag`, `client_flag`, `code_signing_flag`, or `email_protection_flag`
+are set, they are added to the generated `ExtKeyUsage` value. Then names in
+the `ext_key_usage` field are added, followed by OIDs from
+`ext_key_usage_oids`. This can result in issuance of certificates with
+unexpected `ExtKeyUsage` values, as e.g., `server_flag` and `client_flag`
+default to `true` and need to be manually disabled before `ext_key_usage`
+and `ext_key_usage_oids` will be respected.
+
+If a client requests a certificate that is not allowed by the CN policy
+in the role, the request is denied.
 
 | Method  | Path               |
 | :------ | :----------------- |