List client cert requirements in documentation

Keyfactor · Sep 15, 2022 · d9bf43f · d9bf43f
1 parent 056e647
commit d9bf43f
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 3 deletions.
diff --git a/docs/getting-started.md b/docs/getting-started.md
@@ -42,7 +42,9 @@ Desktop is also compatible with many operating systems.
 |----------------|------------------------------------------------------------------------------------------------------------------------|
 
 5. If using client certificate authentication (IE not using EST), create a tls K8s secret. K8s requires that
-   the certificate and private key are in separate files.
+   the certificate and private key are in separate files. The client certificate must be a PEM encoded certificate as per 
+   [Section 5.1 of RFC7468](https://datatracker.ietf.org/doc/html/rfc7468#section-5.1)
+   and the private key be a PEM encoded matching PKCS#8 private key as per [Section 11 of RFC7468](https://datatracker.ietf.org/doc/html/rfc7468#section-11).
     ```shell
     kubectl -n ejbca create secret tls ejbca-client-cert --cert=certs/client.pem --key=certs/client.key
     ```

diff --git a/docs/index.md b/docs/index.md
@@ -93,7 +93,7 @@ directory as per the [x509 library](https://go.dev/src/crypto/x509/root_unix.go)
 If the traditional REST client is used (IE EST is not being used), a K8s TLS secret must
 be created containing the client certificate/keypair. K8s requires that this certificate
 be a PEM or DER encoded certificate as per [Section 5.1 of RFC7468](https://datatracker.ietf.org/doc/html/rfc7468#section-5.1)
-and the private key be a PEM or DER encoded matching private key as per [Section 11 of RFC7468](https://datatracker.ietf.org/doc/html/rfc7468#section-11).
+and the private key be a PEM or DER encoded matching PKCS#8 private key as per [Section 11 of RFC7468](https://datatracker.ietf.org/doc/html/rfc7468#section-11).
 Once located, create the secret with the following command:
 ```shell
 kubectl create secret tls ejbca-client-cert \

diff --git a/docs/vault.md b/docs/vault.md
@@ -41,7 +41,9 @@ vault secrets enable -path=internal kv
 
 Next, set a secret in Vault using the v1 KV engine. Omitted was the creation of `tls.crt` and `tls.key` files containing the client certificate keypair. 
 Shell history can easily be retrieved, so configuring the KV secret should be done in a methodical manner. Key names in this step are 
-unimportant, and the client certificate and private key may be configured in the same key-value tag.
+unimportant, and the client certificate and private key may be configured in the same key-value tag. The client certificate must be a PEM encoded certificate as per
+[Section 5.1 of RFC7468](https://datatracker.ietf.org/doc/html/rfc7468#section-5.1)
+and the private key be a PEM encoded matching PKCS#8 private key as per [Section 11 of RFC7468](https://datatracker.ietf.org/doc/html/rfc7468#section-11).
 ```shell
 vault kv put secret/ejbca [email protected] [email protected]
 ```