PKI: Is there a way to import a CA:false TLS certificates

[Romain Buisson]

Hi guys!

After doing some research on this topic and many trials, we haven't found a solution to my problem. Just double checking here that this is indeed the case.

My idea would be to have Vault used as an intermediate PKI, signed with our *.mydomain.com GoDaddy certificate, to distribute individual TLS certificates to clients (on more restrictive domains, eg test.mydomain.com and with shorter TTLs)

However the TLS cert from GoDaddy has Basic Constraints set to `CA:false`. And that prevents it to be imported in Vault:

the given certificate is not marked for CA use and cannot be used with this backend

Is there any way to work around this?

OpenSSL does not complain of anything when using a `CA:false` cert to sign intermediate so I though we could use OpenSSL to create a `CA:true` intermediate cert. And use this cert to sign the Vault CSR.

Something such as:

GoDaddy *.mydomain.com  (CA:false) --> OpenSSL *.mydomain.com (CA:true) --> Imported in Vault *.mydomain.com --> Vault to distribute test.mydomain.com, dev.mydomain.com...

The scenario above works only if we don't send the full chain, which makes sense: Vault does not know that one member of the chain is `CA:false`.

However, as soon as we add the full chain to Vault, it fails:

verification of parsed bundle failed: certificate 1 of certificate chain is not a certificate authority

And I need to distribute the full chain.

I am guessing there is no workaround for this. But maybe someone has an idea?