You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describtion
When I try to use /pki_int/sign-verbatim endpoint to sign a new certificate based upon the provided CSR with added basicConstraints=critical,CA:false, I get the following warning in request response: warnings":["specified CSR contained a Basic Constraints extension that was ignored during issuance"]
The issued cert has no any basic constrains.
According to Openssl documentation (see https://www.openssl.org/docs/man1.1.1/man5/x509v3_config.html) for some application it is required to have basicConstraints=critical,CA:false in case of end-entity certificate but vault ignore explicitly provide constrains.
Basic Constraints.
This is a multi valued extension which indicates whether a certificate is a CA certificate. The first (mandatory) name is CA followed by TRUE or FALSE. If CA is TRUE then an optional pathlen name followed by an non-negative value can be included.
For example:
basicConstraints=CA:TRUE
basicConstraints=CA:FALSE
basicConstraints=critical,CA:TRUE, pathlen:0
A CA certificate must include the basicConstraints value with the CA field set to TRUE. An end user certificate must either set CA to FALSE or exclude the extension entirely. Some software may require the inclusion of basicConstraints with CA set to FALSE for end entity certificates.
Perhaps in case of /pki_int/sign-verbatim there should be parameter similar to use_csr_values as for /pki_int/root/sign-intermediate.
Describtion
When I try to use
/pki_int/sign-verbatim
endpoint to sign a new certificate based upon the provided CSR with addedbasicConstraints=critical,CA:false
, I get the following warning in request response:warnings":["specified CSR contained a Basic Constraints extension that was ignored during issuance"]
The issued cert has no any basic constrains.
According to Openssl documentation (see https://www.openssl.org/docs/man1.1.1/man5/x509v3_config.html) for some application it is required to have
basicConstraints=critical,CA:false
in case of end-entity certificate but vault ignore explicitly provide constrains.Perhaps in case of
/pki_int/sign-verbatim
there should be parameter similar touse_csr_values
as for/pki_int/root/sign-intermediate
.To Reproduce
Steps to reproduce the behavior:
openssl genrsa -out end-entity-pk.pem 4096
Expected behavior
Issued certificate contains the following:
The text was updated successfully, but these errors were encountered: