Can Vault issue certificates with wildcard DNS IP entries?

[Derry O' Sullivan]

Trying to issue a certificate (using vault as an intermediate ca). Is it possible for vault to issue certificate with a wildcard IP DNS entry for SANS?

vault write pki_int/issue/test common_name="test.example.com" alt_names="10.3.0.*,some.other.name" ip_sans="1.2.3.4" -format=json | jq -r '.data.certificate' | openssl x509 -text | grep DNS

                DNS:test.example.com, DNS:some.other.name, IP Address:1.2.3.4

Note that the 10.3.0.* didn't get added.

Looking at the code, it looks like IP's get passed through GO's Net.parseIP call which returns nil for wildcard IPs

For reference, my role is:

vault read -namespace=DevTest/scylladc pki_int/roles/test

Key                                   Value

---                                   -----

allow_any_name                        true

allow_bare_domains                    true

allow_glob_domains                    true

allow_ip_sans                         true

allow_localhost                       true

allow_subdomains                      true

allow_token_displayname               false

allowed_domains                       [example.com]

allowed_other_sans                    <nil>

allowed_serial_numbers                []

allowed_uri_sans                      [true]

basic_constraints_valid_for_non_ca    false

client_flag                           true

code_signing_flag                     false

country                               []

email_protection_flag                 false

enforce_hostnames                     false

ext_key_usage                         []

ext_key_usage_oids                    []

generate_lease                        false

key_bits                              2048

key_type                              rsa

key_usage                             [DigitalSignature KeyAgreement KeyEncipherment]

locality                              []

max_ttl                               72h

no_store                              false

not_before_duration                   30s

organization                          []

ou                                    []

policy_identifiers                    []

postal_code                           []

province                              []

require_cn                            true

server_flag                           true

street_address                        []

ttl                                   0s

use_csr_common_name                   false

use_csr_sans                          false

thanks in advance

[Jeff Mitchell]

Hi,

It is not possible.

Best,

Jeff

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/ee384227-e23f-401b-b07d-c34243d01422%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.