Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PKI Secrets Engine, Import CA Certificates and Keys does not replace default issuer implicitly #17359

Closed
shaj13 opened this issue Sep 29, 2022 · 2 comments
Closed

PKI Secrets Engine, Import CA Certificates and Keys does not replace default issuer implicitly #17359

shaj13 opened this issue Sep 29, 2022 · 2 comments
Labels
cryptosec docs secret/pki

Comments

@shaj13
Copy link
Contributor

shaj13 commented Sep 29, 2022

Describe the bug
Vault v1.9.4 Import CA Certificates and Keys implicitly replace the default issuer,
So when import CA using /pki/config/ca and then issue new certs using pki/issue/:name it signs the generated certs from the latest imported CA,
Within v1.11.3 this behavior has been broken the /pki/config/ca does not replace the default issuer and instead it signs the generated certs from an orphan issuer.
for workaround running /pki/root/replace with the issuer ID given from /pki/config/ca response mapping will sign the generated certs from the latest imported CA

To Reproduce

  1. export VAULT_ADDR=http://127.0.0.1:8300
  2. vault operator init
  3. vault operator unseal
  4. export VAULT_TOKEN="hvs.5AvuBXwbbM7NzzpJ4P22kxFE"
  5. vault secrets enable pki
  6. vault secrets tune -max-lease-ttl=8760h pki
  7. vault write pki/root/generate/internal common_name=my-website.com ttl=8760h
  8. vault write pki/roles/example-dot-com allowed_domains=my-website.com allow_subdomains=true max_ttl=72h
  9. vault write pki/config/ca @data.json
  10. vault write pki/issue/example-dot-com common_name=blah.example.com
  11. The issue CA is the same as step 8 and differs from what has been imported !!
  12. workaround vault write pki/root/replace default=9d5e6157-5f18-541b-9742-621eac56c466 -> from step 9
  13. vault write pki/issue/example-dot-com common_name=blah.example.com -> now it okay

Expected behavior
Same as v1.9.4 import CA replace issuer implicitly.

Vault server configuration file(s):

listener "tcp" {
  address       = "127.0.0.1:8300"
  tls_cert_file = ""
  tls_key_file  = ""
  tls_disable   = 1
}

api_addr     = "http://127.0.0.1:8300"
cluster_addr = "http://127.0.0.1:8300"

storage "file" {
  path           = "/tmp/vault/storage"
  connection_url = ""
  ha_enabled     = false
}

disable_mlock = true
@cipherboy
Copy link
Contributor

\o @shaj13

Correct; this was done for consistency.

I'd recommend reading these sections:

Ultimately, this was to ensure a consistent behavior: previously, generate root and intermediate import would err (on Vault 1.9) if it already had previous issuers, whereas /config/ca would, I believe, silently replace them (!!). In both cases, you were importing/creating a new issuer so it made sense to unify their behavior.

If you can suggest other places to put this information or perhaps more concisely, happy to update the docs.

@cipherboy cipherboy added the docs label Sep 29, 2022
@kitography
Copy link
Contributor

Hi @shaj13 ;
We're introducing a new feature that should allow you to configure this behaviour if you like (one time work around), here: #17824

If that doesn't work for you - or the docs are confusing - feel free to reopen or create another issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
cryptosec docs secret/pki
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@kitography @cipherboy @shaj13