From 37079902631f5eac1939d1677f1c7641892763df Mon Sep 17 00:00:00 2001
From: hc-github-team-secure-vault-core
 <82990506+hc-github-team-secure-vault-core@users.noreply.github.com>
Date: Mon, 8 Apr 2024 14:05:06 -0600
Subject: [PATCH] backport of commit d1fda882a570d34f256e61ee207a163aa4cb4072
 (#26302)

Co-authored-by: James Bayer <1139532+jbayer@users.noreply.github.com>
---
 website/content/docs/secrets/kmip.mdx | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/website/content/docs/secrets/kmip.mdx b/website/content/docs/secrets/kmip.mdx
index d1ce62b3870f..dda13a6789b7 100644
--- a/website/content/docs/secrets/kmip.mdx
+++ b/website/content/docs/secrets/kmip.mdx
@@ -74,6 +74,15 @@ requests.
     ```text
     $ vault write kmip/config listen_addrs=0.0.0.0:5696
     ```
+### KMIP Certificate Authority for Client Certificates
+
+When the KMIP Secrets Engine is initially configured, Vault generates a KMIP 
+Certificate Authority (CA) whose only purpose is to authenticate KMIP client
+certificates.
+
+Vault uses the internal KMIP CA to generate certificates for clients
+authenticating to Vault with the KMIP protocol. You cannot import external KMIP
+authorities. All KMIP authentication must use the internally-generated KMIP CA.
 
 ## Usage