website: Update api-docs for /ssh/sign/:name and /ssh/issue/:name (#1…

…7694) Extend the documentation the API endpoint '/ssh/issue/:name' (added in #15561 with v1.12.0) and '/ssh/issue/:name': - Be more specific that the issued certificate uses the defaults given of the role at the given endpoint; and that it is subject to the limitations configured in this role. - Note that the endpoint /ssh/issue/:name is available with v1.12+. - Make it more clear that the generated credentials are only returned but not stored by Vault (not just the generated private key).
hashicorp · Oct 27, 2022 · 184a4e4 · 184a4e4
1 parent ab6fecb
commit 184a4e4
Showing 1 changed file with 22 additions and 4 deletions.
diff --git a/website/content/api-docs/secret/ssh.mdx b/website/content/api-docs/secret/ssh.mdx
@@ -820,6 +820,17 @@ $ curl \
 This endpoint signs an SSH public key based on the supplied parameters, subject
 to the restrictions contained in the role named in the endpoint.
 
+It is similar to the endpoint `/ssh/issue/:name`. Instead of issuing new
+SSH credentials, this returns a certificate for the given SSH public key.
+
+The issued certificate uses the defaults specified in the role named in
+this endpoint. Where not restricted by the parameters of this role, the
+parameters of the issued certificate can be further customized in this API call.
+
+~> **Note**: The issued certificate is returned but _not_ stored by Vault.
+   If you do not save it from the response, request it again by repeating
+   this request.
+
 | Method | Path              |
 | :----- | :---------------- |
 | `POST` | `/ssh/sign/:name` |
@@ -887,11 +898,18 @@ $ curl \
 
 ## Generate Certificate and Key
 
-This endpoint generates a new set of credentials (private key and certificate)
-based on the role named in the endpoint.
+This endpoint issues a new set of SSH credentials (private key and certificate).
+
+It is similar to the endpoint `/ssh/sign/:name`: Instead of signing an existing
+SSH public key, it generates and issues new SSH credentials (key and certificate).
+
+The issued certificate uses the defaults specified in the role named in
+this endpoint. Where not restricted by the parameters of this role, the
+parameters of the issued certificate can be further customized in this API call.
 
-~> **Note**: The private key is _not_ stored. If you do not save the private
-   key from the response, you will need to request a new certificate.
+~> **Note**: The issued credentials are returned but _not_ stored by Vault.
+   If you do not save them from the response, issue new credentials by using
+   this request again. This endpoint is available with Vault version 1.12+.
 
 | Method | Path               |
 | :----- | :----------------  |