Unable to obtain Certificate from MS ADCS with Validity < 24h

[jyppy]

PROBLEM SUMMARY When using the backend plugin with a Microsoft ADCS Certificate Authority the shortest validity that can be received by the CA is 24 h

STEPS TO REPRODUCE Install and configure vault-pki-backend plugin, set issuer_hint=m

vault read myMSCA/roles/tpp Key Value

---

chain_option last generate_lease false issuer_hint m max_ttl 0s no_store false role_zone n/a service_generated_cert false store_by n/a store_pkey false ttl 0s venafi_secret tpp

EXPECTED RESULTS

Request a certificate with 24h validity returns the correct duration

This is as expected - TTL=24h vault write myMSCA/issue/tpp common_name="$CERT" alt_names="$CERT" ttl="24h" -format=json | jq -r '.data.certificate' |openssl x509 -noout -dates -serial notBefore=Jun 22 21:12:27 2023 GMT notAfter=Jun 23 21:22:26 2023 GMT serial=25000014DCA3F9DCF86579676F0001000014DC

This is not - TTL=12h vault write myMSCA/issue/tpp common_name="$CERT" alt_names="$CERT" ttl="12h" -format=json | jq -r '.data.certificate' |openssl x509 -noout -dates -serial notBefore=Jun 22 21:17:02 2023 GMT notAfter=Jun 23 21:27:02 2023 GMT serial=25000014DDA353939076EF42FA0001000014DD ACTUAL RESULTS

The validity period is 24h when 12h was requested

ENVIRONMENT DETAILS

Calling the Venafi API directly to obtain a cert with ~ 2h validity works

POST /vedsdk/certificates/request ... "CASpecificAttributes": [ { "Name": "Microsoft CA:Specific End Date", "Value": "22-JUN-23 23:00:00" } ]

Return a cert with the following validity

    "ValidFrom": "2023-06-22T21:19:39.0000000Z",
    "ValidTo": "2023-06-22T23:00:00.0000000Z"

COMMENTS/WORKAROUNDS