james-bjss
commented
5 years ago Had a look into this and as @jprelph says the ca_chain values are not written out. In our case we have two certs in this chain and we only get the root CA written out to file.
I have had a first stab at fixing this on my fork: https://github.com/UKHomeOffice/vault-sidekick/pull/93
Some questions about the solution
- Should the ability to pull out the whole chain be optional?
- Should this be implemented as a new fmt or an additional flag or just done by default?
- Is it acceptable to write out the whole chain into a single file?
- What should the filename(s) be?
Other notes
- I added a newline char between the certs when writing them to a single file. Should I use a localised/os specific carriage return?
- The code assumes that
ca_certis always an interface slice, the only other way I could think of was using reflection, but this is usually frowned upon. I looked at the vault code and it seems like this should always be a slice.
It would be useful when using the PKI backend if fmt=cert would also pull out the ca_chain as well as the existing crt, ca and key files.