Need help: TTL of Root CA, Root CA's cert, end certificates...

93 views
Skip to first unread message

Andrew Ton

unread,
May 23, 2019, 7:16:36 PM5/23/19
to Vault

Hello,

I get very confused about time-to-live when create root CA, root CA's cert, intermediate CA, and cert signed by intermediate CA.

1. Root CA:
  • Create (enable) a root CA: ./vault secrets enable -path=pki/rootca_dev -description="PKI Root CA for Dev" -max-lease-ttl=87600h pki
  • Create a cert from this root: 
./vault write pki/<name of CA>/root/generate/internal \
        common_name="xxxx.com" \
        ttl=87600h \
        key_bits=4096

 I check the certificate validity and it shows 10 years -> OK

2. Create a role for this root CA:
./vault write pki/rootca_dev/roles/rootca_dev_role \
> key_bits=2048 \
> max_ttl=72h \
> allowed_domains=root-supported-domain.com \
> allow_subdomains=true
        3. Create a new Intemediate CA (valid only 5 years)
        ./vault secrets enable -path=pki/interca_dev -description="Volvo PKI Intermediate CA for Dev" \
         -max-lease-ttl=43800h pki

        4. Create a CSR for this intermediate CA:
        ./vault write pki/interca_dev/intermediate/generate/internal common_name="yyyy.com" \
            ttl=1h > inter_dev_pki.csr 


        5. Sign this CSR with the root CA's cert above (step#1)
        ./vault write pki/rootca_dev/root/sign-intermediate csr=@inter_dev_pki.csr format=pem_bundle > interca_dev.cert.pem

        6. After setting this cert into the intermediate CA, view the certificate:

          The certificate shows: 
           Validity
                    Not Before: May  6 20:04:57 2019 GMT
                    Not After : Jun  7 20:05:27 2019 GMT 

         Why is the certificate of the intermediate CA signed by root CA valid only around 32 days???


        So far I have only seen the validity of certificates fro root CAs are correct. Otherwise, the validity of intermediate CAs are wrong, end certificates signed by these intermediate CAs also have wrong (short) validity.
        In addition when I create a root CA or intermediate CA with a ttl like -max-lease-ttl (step#1 and 3), then create a role for them with a shorter ttl like max_ttl (step#2), or in CSR, then what validity do the resulting certificates issued or signed
        by these root/intermediate CAs have (root/intemediate CA or role's ttl setting)?

        Can somebody explain clearly to me or point me a helpful resources? Thank you very much!





         

        Tob Ter

        unread,
        May 24, 2019, 8:36:06 AM5/24/19
        to Vault
        What is the max_lease_ttl of your pki secrets engine?
        vault read /sys/mounts/pki/interca_dev/tune
        If the backend itself specifies a maximum ttl of 32 days then you can't set a higher ttl for items within that backend.

        If none is specified it will use the global system maximum lease ttl: https://www.vaultproject.io/docs/commands/secrets/tune.html

        Michel Vocks

        unread,
        May 24, 2019, 9:15:12 AM5/24/19
        to Vault
        Hi there,

        you forgot to set the TTL for the intermediate certificate:
        vault write pki/rootca_dev/root/sign-intermediate csr=@inter_dev_pki.csr ttl=43800h format=pem_bundle

        Cheers,
        Michel
        Reply all
        Reply to author
        Forward
        0 new messages