backport of commit 6795afe

builtin/credential/cert/path_certs.go

@@ -117,7 +117,7 @@ All values much match. Supports globbing on "value".`,
 			"allowed_metadata_extensions": {
 				Type: framework.TypeCommaStringSlice,
 				Description: `A comma-separated string or array of oid extensions.
-Upon successfull authentication, these extensions will be added as metadata if they are present
+Upon successful authentication, these extensions will be added as metadata if they are present
 in the certificate. The metadata key will be the string consisting of the oid numbers
 separated by a dash (-) instead of a dot (.) to allow usage in ACL templates.`,
 			},

website/content/api-docs/auth/cert.mdx

@@ -61,6 +61,11 @@ Sets a CA cert and associated parameters in a role name.
   string or array of `oid:value`. Expects the extension value to be some type
   of ASN1 encoded string. All conditions _must_ be met. Supports globbing on
   `value`.
+- `allowed_metadata_extensions` `(array:[])` - A comma separated string or
+  array of oid extensions. Upon successful authentication, these extensions
+  will be added as metadata if they are present in the certificate. The
+  metadata key will be the string consisting of the oid numbers separated
+  by a dash (-) instead of a dot (.) to allow usage in ACL templates.
 - `display_name` `(string: "")` - The `display_name` to set on tokens issued
   when authenticating against this CA certificate. If not set, defaults to the
   name of the role.
@@ -294,6 +299,9 @@ Configuration options for the method.
 - `disable_binding` `(boolean: false)` - If set, during renewal, skips the
   matching of presented client identity with the client identity used during
   login.
+- `enable_identity_alias_metadata` `(boolean: false)` - If set, metadata of
+  the certificate including the metadata corresponding to
+  `allowed_metadata_extensions` will be stored in the alias
 
 ### Sample Payload