diff --git a/website/content/docs/secrets/kmip.mdx b/website/content/docs/secrets/kmip.mdx index d1ce62b3870f..dda13a6789b7 100644 --- a/website/content/docs/secrets/kmip.mdx +++ b/website/content/docs/secrets/kmip.mdx @@ -74,6 +74,15 @@ requests. ```text $ vault write kmip/config listen_addrs=0.0.0.0:5696 ``` +### KMIP Certificate Authority for Client Certificates + +When the KMIP Secrets Engine is initially configured, Vault generates a KMIP +Certificate Authority (CA) whose only purpose is to authenticate KMIP client +certificates. + +Vault uses the internal KMIP CA to generate certificates for clients +authenticating to Vault with the KMIP protocol. You cannot import external KMIP +authorities. All KMIP authentication must use the internally-generated KMIP CA. ## Usage