Venafi PKI Secrets Engine plugin for HashiCorp Vault that enables certificate enrollment using Venafi machine identity services.
Mozilla Public License 2.0
54
stars
20
forks
source link
Unable to obtain Certificate from MS ADCS with Validity < 24h #125
Open
jyppy opened 1 year ago
PROBLEM SUMMARY When using the backend plugin with a Microsoft ADCS Certificate Authority the shortest validity that can be received by the CA is 24 h
STEPS TO REPRODUCE Install and configure vault-pki-backend plugin, set issuer_hint=m
vault read myMSCA/roles/tpp
Key Valuechain_option last generate_lease false issuer_hint m max_ttl 0s no_store false role_zone n/a service_generated_cert false store_by n/a store_pkey false ttl 0s venafi_secret tpp
EXPECTED RESULTS
Request a certificate with 24h validity returns the correct duration
This is as expected - TTL=24h
vault write myMSCA/issue/tpp common_name="$CERT" alt_names="$CERT" ttl="24h" -format=json | jq -r '.data.certificate' |openssl x509 -noout -dates -serial
notBefore=Jun 22 21:12:27 2023 GMT notAfter=Jun 23 21:22:26 2023 GMT serial=25000014DCA3F9DCF86579676F0001000014DCThis is not - TTL=12h
vault write myMSCA/issue/tpp common_name="$CERT" alt_names="$CERT" ttl="12h" -format=json | jq -r '.data.certificate' |openssl x509 -noout -dates -serial
notBefore=Jun 22 21:17:02 2023 GMT notAfter=Jun 23 21:27:02 2023 GMT serial=25000014DDA353939076EF42FA0001000014DD ACTUAL RESULTSThe validity period is 24h when 12h was requested
ENVIRONMENT DETAILS
Calling the Venafi API directly to obtain a cert with ~ 2h validity works
POST /vedsdk/certificates/request ... "CASpecificAttributes": [ { "Name": "Microsoft CA:Specific End Date", "Value": "22-JUN-23 23:00:00" } ]
Return a cert with the following validity
COMMENTS/WORKAROUNDS