Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vault ignored Basic Constraints extension specified in CSR during issuance #24817

Open
mvkonovalov opened this issue Jan 11, 2024 · 0 comments
Open

Vault ignored Basic Constraints extension specified in CSR during issuance #24817

mvkonovalov opened this issue Jan 11, 2024 · 0 comments
Labels
cryptosec secret/pki

Comments

@mvkonovalov
Copy link

mvkonovalov commented Jan 11, 2024
edited
Loading

Describtion
When I try to use /pki_int/sign-verbatim endpoint to sign a new certificate based upon the provided CSR with added basicConstraints=critical,CA:false, I get the following warning in request response:
warnings":["specified CSR contained a Basic Constraints extension that was ignored during issuance"]

The issued cert has no any basic constrains.

According to Openssl documentation (see https://www.openssl.org/docs/man1.1.1/man5/x509v3_config.html) for some application it is required to have basicConstraints=critical,CA:false in case of end-entity certificate but vault ignore explicitly provide constrains.

Basic Constraints.

This is a multi valued extension which indicates whether a certificate is a CA certificate. The first (mandatory) name is CA followed by TRUE or FALSE. If CA is TRUE then an optional pathlen name followed by an non-negative value can be included.

For example:
basicConstraints=CA:TRUE
basicConstraints=CA:FALSE
basicConstraints=critical,CA:TRUE, pathlen:0

A CA certificate must include the basicConstraints value with the CA field set to TRUE. An end user certificate must either set CA to FALSE or exclude the extension entirely. Some software may require the inclusion of basicConstraints with CA set to FALSE for end entity certificates.

Perhaps in case of /pki_int/sign-verbatim there should be parameter similar to use_csr_values as for /pki_int/root/sign-intermediate.

To Reproduce
Steps to reproduce the behavior:

  1. Perform first 2 steps from https://developer.hashicorp.com/vault/tutorials/secrets-management/pki-engine
  2. Run openssl genrsa -out end-entity-pk.pem 4096
  3. Run
openssl req \
    -addext "basicConstraints=critical,CA:false" \
    -new -sha256 -key end-entity-pk.pem \
    -subj "/C=/L=/O=/OU=/CN=foo" \
    -out end-entity-cert.csr
  1. Run
cat > payload.json<<EOF
{
    "format":"pem",
    "csr":"$(sed ':a;N;$!ba;s/\n/\\n/g' end-entity-cert.csr)",
    "ttl":"180d"
}
EOF

curl \
    --header "X-Vault-Token: $VAULT_TOKEN" \
    --request POST \
    --data @payload.json \
    $VAULT_ADDR/v1/pki_int/sign-verbatim

Expected behavior
Issued certificate contains the following:

X509v3 Basic Constraints critical:
CA:FALSE
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
cryptosec secret/pki
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sgmiller @mvkonovalov