diff --git a/step-ca/configuration.mdx b/step-ca/configuration.mdx index 9417423d..4899390c 100644 --- a/step-ca/configuration.mdx +++ b/step-ca/configuration.mdx @@ -84,6 +84,7 @@ the `--password-file` flag accepts "enabled": false }, "authority": { + "disableIssuedAtCheck": false, "claims": { "minTLSCertDuration": "5m", "maxTLSCertDuration": "24h", @@ -251,6 +252,8 @@ the `--password-file` flag accepts - **template**: default ASN1DN values for new certificates. See [Templates](./templates.mdx). + - **disableIssuedAtCheck**: ☠️ disable a check verifying that provisioning tokens must be issued after the CA has booted. This claim is one prevention against token reuse. The default value is false. Do not change this unless you know what you are doing. + - **claims**: default validation for requested attributes in the certificate request. Can be overridden by similar claims objects defined by individual provisioners. - **minTLSCertDuration**: do not allow certificates with a duration less than this value. @@ -277,8 +280,6 @@ the `--password-file` flag accepts - **enableSSHCA**: enable this provisioner to generate SSH Certificates. The default value is false. - - **disableIssuedAtCheck**: ☠️ disable a check verifying that provisioning tokens must be issued after the CA has booted. This claim is one prevention against token reuse. The default value is false. Do not change this unless you know what you are doing. - - **provisioners**: list of certificate [Provisioners](./provisioners.mdx). Each provisioner has a name, associated authentication attributes, and an optional claims attribute that overrides any values set in the global claims directly underneath authority. The [`step ca provisioner`](../step-cli/reference/ca/provisioner) command group can add, modify, and remove provisioners. See [Provisioners](./provisioners.mdx). - **claims**: Each provisioner can override the authority-wide `claims` settings. See the authority's **claims** section above for a complete list of options.