PKI - Submit CA Information

[real.jef...@gmail.com]

Hey folks,

I'm trying to configure Vault's PKI secrets backend to issue certificates and the ca chain associated with them.

I have vault issuing certs, and if I use the ca.pem file that existed before vault then the certs issued by vault verify correctly. But the ca_chain returned with the certs vault issues doesn't contain the complete CA chain so the certificate doesn't verify when using that info.

I have a Root CA, then an Intermediate CA, and then the Intermediate Vault CA.

I've generate the Intermediate Vault CA outside of Vault, and have signed it with the Intermediate CA.

When I generated payload.json (from the Submit CA Information section of the PKI API docs) I was careful to include the Root CA and the Intermediate CA.

I've tried changing the ordering of the CAs in the payload.json file so that the Root CA came before Intermediate, and so that Intermediate came before Root but I haven't been able to get the ca_chain to include the complete CA chain yet. Does anyone know if there's a trick to this, or anything to watch out for when turning newlines into \n's?

Does the fact that ca_chain only contains the Intermediate Vault CA  mean that it couldn't confirm that the Intermediate CA signed the Intermediate Vault CA?

There's no errors or any output at all when you submit payload.json to the API, so I'm unsure if I've mis-configured something or just misunderstood.

https://www.vaultproject.io/api/secret/pki/index.html#submit-ca-information

https://stackoverflow.com/questions/38672680/replace-newlines-with-literal-n

Thanks in advance!

[real.jef...@gmail.com]

Could this be because the Root CA, Intermediate CA, and Intermediate Vault CA are all signed with SHA1? Does vault just not include those in the ca_chain due to them using SHA1?

Could it be because there's an underscore in the CN for the Root CA and Intermediate CAs, but not the Intermediate Vault CAs? That would make some sense because those are the two that aren't included in ca_chain.

*keeps tinkering*

[Jeff W]

I did some more testing with underscores in the CN for my root and the intermediate and that worked, the ca_chain field contained all 3 expected certificates, so I'm thinking SHA1 may be the problem. I'll test that next.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/817b5e55-b30b-49aa-8522-33c071c33957%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.