[QUESTION] PKI - How to add specific entries to certificate subject

[Danny Heinrich]

Hey there,

I'm trying to build a specific looking certificate with vault.

Unfortunatly there are some issues (at least for me) to modify the subject with specific fields.

In this case i try to get a "emailAddress" directly into the subject.

All I achived since today is to get "emailAddress" into the SAN. Did anyone of you have an idea how I can achive my goal?

How I create the mounts and CA + Intermediate CA

# -------------- Root CA

vault mount -path=pki_root -description="ROOT CA" -max-lease-ttl=87600h pki

vault write pki_root/root/generate/internal \

  common_name="ROOT CA" \

  ttl=87600h \

  key_bits=4096 \

  exclude_cn_from_sans=true

  vault write pki_root/config/urls issuing_certificates="http://<vaultIP>:8200/v1/pki_root"

  

# -------------- Intermediate CA

vault mount -path=pki_intermediate -description="Intermediate CA MOUNT" -max-lease-ttl=43800h pki

vault write pki_intermediate/intermediate/generate/internal common_name="Intermediate CA" ttl=43800h key_bits=4096 exclude_cn_from_sans=true

vault write pki_root/root/sign-intermediate use_csr_values="true" csr=@<path to cert>/pki_INTERMEDIATE_DEV.csr.pem common_name="Intermediate CA SIGNED" ttl=43800h

vault write pki_intermediate/intermediate/set-signed certificate=@<path to cert>/pki_INTERMEDIATE_DEV.cert.pem

vault write pki_intermediate/config/urls issuing_certificates="https://<vaultIP>:8200/v1/pki_intermediate/ca" crl_distribution_points="http://<vaultIP>:8200/v1/pki_intermediate/crl"

vault write pki_intermediate/roles/rolename organization="<company name>" enforce_hostnames=false allow_subdomains=true key_usage=["digitalSignature","keyEncipherment"] client_flag=true server_flag=false key_bits=2048 max_ttl=43800h allow_any_name=true

vault write pki_intermediate/roles/rolename organization="<company name>" ou="OU" country="DE" province="Berlin" locality="Berlin" enforce_hostnames=false allow_subdomains=true allowed_other_sans="1.2.840.113549.1.9.1;utf8:emailAddress" key_usage='["DigitalSignature", "KeyAgreement", "KeyEncipherment"]' client_flag=true server_flag=false key_bits=2048 max_ttl=43800h allow_any_name=true

# -------------- User Certificate

  curl \

      --header "X-Vault-Token:$VAULT_TOKEN" \

      --request POST \

      --data @/tmp/newUser.tmp.json  \

      -v \

      -k \

      https://<vaultIP>:8200/v1/pki_intermediate/issue/rolename \

      | tee >(jq -r .data.certificate > "$DIRECOTRY/$NAME.crt") \

            >(jq -r .data.issuing_ca > "$DIRECOTRY/$NAME.issuing_ca.pem") \

            >(jq -r .data.private_key > "$DIRECOTRY/$NAME.key.pem")

Thank you and regards

[Calvin Leung Huang]

Hi Danny,

What does the payload in your POST request, newUser.tmp.json, look like? Did you include other_sans?

- Calvin

[Danny Heinrich]

I tried several things:

1.) 
{

  "name" : "NAME",

  "common_name" : "NAME",

  "ttl" : "8760h",

  "format" : "pem",

  "other_sans" : "1.2.840.113549.1.9.1;utf8:emailAddress",

  "alt_names" : "email:NAME@<domain>.com"

}

2.)

{

  "name" : "NAME,email:NAME@<domain>.com",

  "common_name" : "NAME",

  "ttl" : "8760h",

  "format" : "pem",

  "alt_names" : "otherName:msUPN;UTF8:NAME,email:NAME@<domain>.com"

}

I added "email:NAME@<domain>.com" to alt_names because there is no field which let me edit the subject...

[Calvin Leung Huang]

Danny,

I am not completely clear as to what you want to achieve.

 

In this case i try to get a "emailAddress" directly into the subject.

Did you mean you want to have the literal "emailAddress" string to be a field in the subject, i.e. "emailAddress=NAME@<domain>.com" (similar to "CN=NAME@<domain>.com")? If that's the case then that's not currently supported.

However, if what you mean is that you wanted some email, say "NAME@<domain>.com", to be as part of the Subject, then all you have to do is specify that email as part of the common_name. Your sample commands differ from the screenshot result, but it looks like you already have an email populated in the CN. In most cases validation against email is done with the fields in the SANs and not the Subject, so the proper thing to do might be to have the email be in the SANs like so: "alt_names" : "email:NAME@<domain>.com".

- Calvin