From 5e31af2ee2c33139801178c0715f4fe0cae928a7 Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Sat, 27 Apr 2024 22:12:18 +1000
Subject: [PATCH] Doc: fix default server certificate role

---
 doc/vault/setup.md | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/doc/vault/setup.md b/doc/vault/setup.md
index 8f02c99..80287b6 100644
--- a/doc/vault/setup.md
+++ b/doc/vault/setup.md
@@ -36,10 +36,12 @@
     vault write pki_int/roles/servers_default \
         issuer_ref="$(vault read -field=default pki_int/config/issuers)" \
         allow_ip_sans=true \
-        allowed_domains="unkin.net,prod*" \
+        allowed_domains="unkin.net, *.unkin.net, localhost" \
         allow_subdomains=true \
-        allow_bare_domains=true \
         allow_glob_domains=true \
+        allow_bare_domains=true \
+        enforce_hostnames=true \
+        allow_any_name=true \
         max_ttl="2160h" \
         key_bits=4096 \
         country="Australia"
@@ -49,7 +51,6 @@
     vault write pki_int/issue/servers_default common_name="test.main.unkin.net" ttl="24h"
     vault write pki_int/issue/servers_default common_name="*.test.main.unkin.net" ttl="24h"
 
-
 # remove expired certificates
     vault write pki_int/tidy tidy_cert_store=true tidy_revoked_certs=true