Add new params to documentation

website/source/docs/auth/cert.html.md

@@ -60,18 +60,25 @@ it is up to the administrator to remove it from the backend.
 ## Authentication
 
 ### Via the CLI
+The below requires Vault to present a certificate signed by `ca.pem` and
+presents `cert.pem` (using `key.pem`) to authenticate against the `web` cert
+role. If a certificate role name is not specified, the auth backend will try to
+authenticate against all trusted certificates.
+
 ```
 $ vault auth -method=cert \
-    -ca-cert=ca.pem -client-cert=cert.pem -client-key=key.pem
+    -ca-cert=ca.pem -client-cert=cert.pem -client-key=key.pem \
+    name=web
 ```
 
 ### Via the API
 The endpoint for the login is `/login`. The client simply connects with their TLS
 certificate and when the login endpoint is hit, the auth backend will determine
-if there is a matching trusted certificate to authenticate the client.
+if there is a matching trusted certificate to authenticate the client. Optionally,
+you may specify a single certificate role to authenticate against.
 
 ```
-$ curl --cacert ca.pem --cert cert.pem --key key.pem \
+$ curl --cacert ca.pem --cert cert.pem --key key.pem -d name=web \
     $VAULT_ADDR/v1/auth/cert/login -XPOST
 ```
 
@@ -175,6 +182,7 @@ of the header should be "X-Vault-Token" and the value should be the token.
         "certificate": "-----BEGIN CERTIFICATE-----\nMIIEtzCCA5+.......ZRtAfQ6r\nwlW975rYa1ZqEdA=\n-----END CERTIFICATE-----",
         "display_name": "test",
         "policies": "",
+        "required_name": "",
         "ttl": 2764800
       },
       "warnings": null,
@@ -245,6 +253,14 @@ of the header should be "X-Vault-Token" and the value should be the token.
         <span class="param-flags">required</span>
         The PEM-format CA certificate.
       </li>
+      <li>
+        <span class="param">required_name</span>
+        <span class="param-flags">optional</span>
+        Constrain the Common and Alternative Names in the client certificate
+        with a [globbed pattern](https://github.com/ryanuber/go-glob/blob/master/README.md#example).
+        Authentication requires at least one Name matching the pattern.
+        If not set, defaults to allowing all names.
+      </li>
       <li>
         <span class="param">policies</span>
         <span class="param-flags">optional</span>
@@ -382,8 +398,8 @@ of the header should be "X-Vault-Token" and the value should be the token.
 <dl class="api">
   <dt>Description</dt>
   <dd>
-    Log in and fetch a token. If there is a valid chain to a CA configured in the backend,
-    a token will be issued.
+    Log in and fetch a token. If there is a valid chain to a CA configured in
+    the backend and all role constraints are matched, a token will be issued.
   </dd>
 
   <dt>Method</dt>
@@ -394,7 +410,15 @@ of the header should be "X-Vault-Token" and the value should be the token.
 
   <dt>Parameters</dt>
   <dd>
-    None.
+    <ul>
+      <li>
+        <span class="param">name</span>
+        <span class="param-flags">optional</span>
+        Authenticate against only the named certificate role, returning its
+        policy list if successful. If not set, defaults to trying all
+        certificate roles and returning any one that matches.
+      </li>
+    </ul>
   </dd>
 
   <dt>Returns</dt>