Vault Certificate Authority certificate TTL doesn't match

1,490 views
Skip to first unread message

Hristiyan Mihaylov

unread,
Feb 12, 2019, 6:01:40 AM2/12/19
to Vault
Heya,

So I set up Vault CA as per the instructions at the following page:


All went great, except for the part where I'm generating a new certificate, and it says it can only be created for a month, even though I've set all the TTLs to "87600h" (10 years).

$ vault write pki_int/issue/centroida-ai common_name="centroida-cert.centroida.ai" ttl="24000h"
Error writing data to pki_int/issue/centroida-ai: Error making API request.


URL: PUT https://vault.centroida.ai:8200/v1/pki_int/issue/centroida-ai
Code: 400. Errors:


* cannot satisfy request, as TTL would result in notAfter 2021-11-08T12:55:21.307248044+02:00 that is beyond the expiration of the CA certificate at 2019-03-16T10:53:44Z

I recreated the Root CA and the Intermediate CA several times, with 87600h each time, and it's always displaying this. Basically certificates can only be created for a month, instead of the actual expiration of the CA.

Does anyone know a workaround for this? Thanks :)

mic...@hashicorp.com

unread,
Feb 12, 2019, 11:13:01 AM2/12/19
to Vault
Hi Hristiyan,

there are four places where you need to adjust the TTL.

vault secrets tune-max-lease-ttl=87600h pki
This increases the max TTL for the mount point.

vault write pki/root/generate/internal \
    common_name=my-website.com \
    ttl=87600h
This sets the TTL of your root certificate.

vault write pki/roles/my-role \
    allowed_domains=my-website.com \
    allow_subdomains=true \
    max_ttl=87600h
This sets the max TTL for this specific role.

vault write pki/issue/my-role \
    common_name=www.my-website.com ttl="87500h"
This finally generates the signed certificate.
Please note that I set the TTL to "87500h". The signed certificate must be in a valid time range accordingly to your root certificate.  

Cheers,
Michel

tobt...@gmail.com

unread,
Feb 13, 2019, 5:33:47 AM2/13/19
to Vault
In addition to what Michel wrote, the error message states that your CA certificate is expiring next month. When the CA certificate expires, all leaf certificates expire too, so Vault doesn't allow you to create certificates beyond that date in the first place.

Check the ouput of: vault read -field=certificate pki_int/cert/ca | openssl x509 -noout -enddate
This is the date when your CA certificate and thereby also every leaf certificate expires. Probably you forgot to extend the TTL of the mount point.
Reply all
Reply to author
Forward
0 new messages