Vault PKI creating specific authority chain

[David Faiz]

Hello,

I'm trying to create a specific certificate chain and when I attempt to issue the actual certificates I get the following error:

Error writing data to second_int/issue/role_name: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/second_int/issue/role_name

Code: 400. Errors:

* cannot satisfy request, as TTL is beyond the expiration of the CA certificate

The process:

1. Generate root for 2 years
2. From root generate intermediate
3. From intermediate generate another intermediate
4. Generate server certificate

Here are the commands:

     

vault secrets enable -max-lease-ttl=17530h pki
vault write pki/root/generate/internal common_name=myvault.com ttl=17530h
vault secrets enable -max-lease-ttl=8770h -path=pki_intermediate pki
vault write pki_intermediate/intermediate/generate/internal common_name=myvault.com ttl=8770h (generates a certificate signing request)
vault write pki/root/sign-intermediate csr=@pki_int.csr format=pem_bundle (generates an intermediate certificate)
vault write pki_intermediate/intermediate/set-signed certificate=@signed_certificate.pem (allow intermediate certificate authority to issue certificates)

 

vault secrets enable -max-lease-ttl=8765h -path=secondary_intermediate pki
vault write secondary_intermediate/intermediate/generate/internal common_name=myvault.com ttl=8765h (generates a certificate signing request)
vault write pki_intermediate/root/sign-intermediate csr=@pki_secondary.csr format=pem_bundle (generates a secondary intermediate certificate)
vault write secondary_intermediate/intermediate/set-signed certificate=@signed_certificate.pem (allow intermediate certificate authority to issue certificates)

 

This passes without any issues, but when I try to generate certificates like so:

vault write secondary_intermediate/roles/my_domain allowed_domains=myvault.com allow_subdomains=true max_ttl=8600h
vault write secondary_intermediate/issue/my_domain common_name=apps.myvault.com ttl=870h

I get the error above, please advise. 

[Jeff Mitchell]

Hi there,

I think the issue is that the CSR generation endpoint will mark the CSR's requested expiration, but unless you are specifying that CSR values should be used when actually signing it, the certificate issued when the CSR is signed will use the TTL specified at signing time -- and if not specified, will use the default, which itself will default to 32 days (you are setting only the max, not the default, when enabling the mounts). So the actual certificates you're generating are good for 32 days, not the values you think they should be good for.

Best,

Jeff

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/11eafbd0-faf9-412f-ae0e-6f8bd012fecc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.