Keyfactor · aefuente · Oct 16, 2025 · Oct 16, 2025
diff --git a/README.md b/README.md
@@ -462,6 +462,8 @@ kftrain.lab".
 
 These properties can also be set in the certificate template configured in Command. If they differ, the most restrictive setting is applied.
 
+Here is a table of [Role Configuration Options](./docs/role_options.md)
+
 ## Using the plugin
 
 ### Issuing Certificates

diff --git a/docs/role_options.md b/docs/role_options.md
@@ -0,0 +1,46 @@
+# Role Options
+
+`vault write keyfactor/roles/hashiwebserver <key>="<value>"`
+
+Here is a table of the available configuration parameters
+
+| name | value type | required | default | description |
+| ---- | ----------- | -------- | -------- | ----------- |
+| ttl | number (seconds) | false |  | The lease duration if no specific lease duration is requested. The lease duration controls the expiration of certificates issued by this backend. Defaults to the value of max_ttl. |
+| max_ttl | number (seconds) | false |  | The maximum allowed lease duration |
+| allow_localhost | bool | false | true | Whether to allow "localhost" as a valid common name in a request |
+| allowed_domains | list (comma-separated) | false |  | If set, clients can request certificates for subdomains directly beneath these domains, including the wildcard subdomains. Accepts a comma-separated string or list of domains. |
+| allowed_domains_template | bool | false | false | If set, allowed domains can be specified using identity template policies. Non-templated domains are also permitted. |
+| allow_bare_domains | bool | false |  | If set, clients can request certificates for the base domains themselves, e.g. "example.com". In some cases this can be considered a security threat. |
+| allow_subdomains | bool | false |  | If set, clients can request certificates for subdomains of the CNs allowed by the other role options, including wildcard subdomains. |
+| allow_glob_domains | bool | false |  | If set, domains specified in "allowed_domains" can include glob patterns, e.g. "ftp*.example.com". |
+| allow_any_name | bool | false |  | If set, clients can request certificates for any CN they like. |
+| enforce_hostnames | bool | false | true | If set, only valid host names are allowed for CN and SANs. Defaults to true. |
+| allow_ip_sans | bool | false | true | If set, IP Subject Alternative Names are allowed. Any valid IP is accepted. |
+| allowed_uri_sans | list (comma-separated) | false |  | If set, an array of allowed URIs to put in the URI Subject Alternative Names. Any valid URI is accepted; supports globbing. |
+| allowed_other_sans | list (comma-separated) | false |  | If set, an array of allowed other names to put in SANs. Values support globbing and must be in the format `<oid>;<type>:<value>`. Only "utf8" is a valid type. |
+| allowed_serial_numbers | list (comma-separated) | false |  | If set, an array of allowed serial numbers to put in Subject. Values support globbing. |
+| server_flag | bool | false | true | If set, certificates are flagged for server auth use. Defaults to true. |
+| client_flag | bool | false | true | If set, certificates are flagged for client auth use. Defaults to true. |
+| code_signing_flag | bool | false |  | If set, certificates are flagged for code signing use. Defaults to false. |
+| email_protection_flag | bool | false |  | If set, certificates are flagged for email protection use. Defaults to false. |
+| key_type | string | false | rsa | The type of key to use; defaults to RSA. Valid values: "rsa", "ec". |
+| key_bits | number | false | 2048 | The number of bits to use. You may want to change this if you adjust key_type. |
+| key_usage | list (comma-separated) | false | DigitalSignature, KeyAgreement, KeyEncipherment | A list of key usages (not extended). To remove all, set to an empty list. |
+| ext_key_usage | list (comma-separated) | false | [] | A list of extended key usages. To remove all, set to an empty list. |
+| ext_key_usage_oids | list (comma-separated) | false |  | A list of extended key usage OIDs. |
+| use_csr_common_name | bool | false | true | If set, when used with a signing profile, the CN in the CSR will be used. Defaults to true. |
+| use_csr_sans | bool | false | true | If set, when used with a signing profile, the SANs in the CSR will be used. Defaults to true. |
+| ou | list (comma-separated) | false |  | If set, OU (OrganizationalUnit) will be set to this value in issued certificates. |
+| organization | list (comma-separated) | false |  | If set, O (Organization) will be set to this value in issued certificates. |
+| country | list (comma-separated) | false |  | If set, Country will be set to this value in issued certificates. |
+| locality | list (comma-separated) | false |  | If set, Locality will be set to this value in issued certificates. |
+| province | list (comma-separated) | false |  | If set, Province will be set to this value in issued certificates. |
+| street_address | list (comma-separated) | false |  | If set, Street Address will be set to this value in issued certificates. |
+| postal_code | list (comma-separated) | false |  | If set, Postal Code will be set to this value in issued certificates. |
+| generate_lease | bool | false |  | If set, certificates issued against this role will have Vault leases attached to them. Recommended to disable when issuing many long-lived certs. |
+| no_store | bool | false |  | If set, certificates issued against this role will not be stored in the backend. Improves performance but prevents revocation/enumeration. |
+| require_cn | bool | false | true | If false, makes the 'common_name' field optional when generating a certificate. |
+| policy_identifiers | list (comma-separated) | false |  | A list of policy OIDs. |
+| basic_constraints_valid_for_non_ca | bool | false |  | Mark Basic Constraints valid when issuing non-CA certificates. |
+| not_before_duration | number (seconds) | false | 30 | The duration before now the certificate should be considered valid (creation offset). |