az keyvault certificate create unable to set X509 Certificate properties Basic Constraints CA = true

[tringuyen-yw]

Describe the bug

The goal is to create a self-signed x509 certificate to be used as our own Certificate Authority certificate. The generated certificate must have the x509v3 Basic Constraints property named CA to be set to true.

The issue is the impossibility to use az keyvault certificate create to set that value. Even if it is explicitly defined in the certificate policy. As of 2021-05-20, the only way to set that value is to use the REST API as described here. A working REST API call is supplied in the "Expected Behavior" section.

Command Name
az keyvault certificate create ... see details in "To Reproduce" section

The command successfully created a certificate. But the x509v3 Basic Constraints have the CA property set to false regardless of the value supplied in the JSON of the certificate policy.

To Reproduce:

AZ_VAULTNAME='mykeyvault
KV_CERTNAME='myfake-ca'

az keyvault certificate create --vault-name $AZ_VAULTNAME -n $KV_CERTNAME --policy @MyCertPolicy.json

Content of MyCertPolicy.json. Please note the section basic_constraints with "ca": true

{
  "issuerParameters": {
    "certificateTransparency": null,
    "name": "Self"
  },
  "keyProperties": {
    "curve": null,
    "exportable": true,
    "keySize": 4096,
    "keyType": "RSA",
    "reuseKey": true
  },
  "lifetimeActions": [
    {
      "action": {
        "actionType": "AutoRenew"
      },
      "trigger": {
        "daysBeforeExpiry": 90
      }
    }
  ],
  "secretProperties": {
    "contentType": "application/x-pkcs12"
  },
  "x509CertificateProperties": {
    "keyUsage": [
      "cRLSign",
      "dataEncipherment",
      "digitalSignature",
      "keyEncipherment",
      "keyAgreement",
      "keyCertSign"
    ],
    "basic_constraints": {
      "ca": true,
      "path_len_constraint": 3
    },
    "subject": "C=Canada, O=Mock Corp, OU=Mock Unit, CN=Mock Name",
    "subjectAlternativeNames": {
      "dnsNames": [
        "myapp1.mock.edu",
        "myapp2.mock.edu"
      ]
    },
    "validityInMonths": 12
  }
}

Download the certificate and verify its x509 properties

CACERT_FILE="$HOME/Downloads/myfake-ca-certificate.crt"

az keyvault certificate download --vault-name $AZ_VAULTNAME -n $KV_CERTNAME --encoding PEM -f $CACERT_FILE

openssl x509 -in $CACERT_FILE -noout -text

Notice the output shows X509v3 Basic Constraints: CA: FALSE

Certificate:                                                                                                           
    Data:
        Version: 3 (0x2)
        Serial Number:
            36:c5:b4:83:82:4a:xx:xx:a5:2b:79:d5:28:xx75:4d
        Signature Algorithm: sha256WithRSAEncryption

     ...etc...

        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign
            X509v3 Basic Constraints:
                CA:FALSE

     ...etc...

Expected Behavior

X509v3 Basic Constraints should be CA:TRUE as it is possible if the certificate was created using REST API.

MYSP_CLIENTID='abcdefab-1234-abcd-efdc-123456789012'
MYSP_CLIENTSECRET='blabla...blabla'
AZ_TENANT_ID='value of homeTenantId when `az login` is successful'

# acquire access token
OAUTH2_TOKEN=$(curl -X POST https://login.microsoftonline.com/$AZ_TENANT_ID/oauth2/token \
-d "grant_type=client_credentials&client_id=${MYSP_CLIENTID}&client_secret=${MYSP_CLIENTSECRET}&resource=https://vault.azure.net" | jq -r '.access_token')

# create certificate
curl -X POST "https://$AZ_VAULTNAME.vault.azure.net/certificates/$KV_CERTNAME/create?api-version=7.2" \
 -H "Authorization: Bearer $OAUTH2_TOKEN" -H "content-type: application/json" \
 --data @MyCertPolicy_REST.json

Content of MyCertPolicy_REST.json somehow, REST API use different key names than the AZ CLI

{
  "policy": {
    "issuer": {
      "name": "Self"
    },
    "key_props": {
      "exportable": true,
      "kty": "RSA",
      "key_size": 4096,
      "reuse_key": true
    },
    "lifetime_actions": [
      {
        "trigger": {
          "days_before_expiry": 90
        },
        "action": {
          "action_type": "AutoRenew"
        }
      }
    ],
    "secret_props": {
      "contentType": "application/x-pkcs12"
    },
    "x509_props": {
      "subject": "C=Canada, O=Mock Corp, OU=Mock Unit, CN=Mock Name",
      "sans": {
        "dns_names": [
          "myapp1.mock.edu",
          "myapp2.mock.edu"
        ],
      },
      "key_usage": [
        "cRLSign",
        "dataEncipherment",
        "digitalSignature",
        "keyAgreement",
        "keyCertSign",
        "keyEncipherment"
      ],
      "validity_months": 12,
      "basic_constraints": {
        "ca": true,
        "path_len_constraint": 3
      }
    }
  }
}

Environment Summary

Ubuntu 20.04.2
Linux-5.8.0-53-generic-x86_64-with-debian-bullseye-sid
Python 3.6.10
Installer: DEB

azure-cli 2.23.0

Additional Context

[yonzhan]

key vault

[jlichwa]

Not supported by service, feature request here Azure/azure-rest-api-specs#11962 (comment) #please-close

[tringuyen-yw]

Not supported by service

@jlichwa instead of closing, it it possible to convert this issue into a feature request? For Azure CLI.

[jlichwa]

@tringuyen-yw CLI team cannot do anything without feature first implemented by a service: link above. Once service supports we always release it to all clients, so no need to create issue for each client

[tringuyen-yw]

It seems that it is already working with RESP API. Can you run the curl example I wrote in the Expected Behavior section?

[jlichwa]

@tringuyen-yw it is for internal use only and not supported for public use, it has unknown behavior.