New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature Request: PKI engine copies IP address as DNS name into SAN extension #8424
Comments
Hello @gnugnug - thanks for writing in this feature request. I'm not yet convinced this is a good feature to add, specifically because as you mention that 10.0.0.1 is not a valid common name. I worry that adding logic to accept IP addresses for This scenario sounds very specific to a use case you may have. Is there any other widely used case that would add support for this idea? |
Thank you for your response @catsby I believe there is a misunderstanding. I didn't write that 10.0.0.1 would be an invalid common name, in fact as far as I know the specification allows to put any kind of string into the common name field. I'll try to explain our use case in more detail:
I am not aware of a scenario where having an IP address in the dnsName field would be desirable, so I do not believe that this adds unexpected behaviour to Vault - hence my feature request that Vault should not produce such certificates. |
An IP can be a legit common name. See https://stackoverflow.com/questions/5136198/what-strings-are-allowed-in-the-common-name-attribute-in-an-x-509-certificate. The only constraint on CN is the length, which is not enforced everywhere. OpenSSL does check whether a CN is longer than 64 chars. We also would like to be able to specify It makes sense to specify |
When creating a PKI role in Vault and issuing a certificate via
Vault creates a certificate with a Subject Alternative Name extension with the value "DNS:10.0.0.1"
The created certificate is invalid, since 10.0.0.1 is not a DNS name.
Expected Behavior:
It would be more convenient if Vault would check whether common_name is an IP address and copy it as IP address:10.0.0.1 into the SAN extension.
Otherwise you have to work around this behaviour on the client side by performing the same check and in case of an IP address set exclude_cn_from_sans=true and ip_sans=10.0.0.1
The text was updated successfully, but these errors were encountered: