Default Venafi policy being enforced on pki/intermediate/generate/internal

Venafi / vault-pki-monitor-venafi

Venafi PKI Monitoring Secrets Engine for HashiCorp Vault that enforces security policy and provides certificate visiblity to the enterprise.

Mozilla Public License 2.0

19 stars 9 forks source link

Default Venafi policy being enforced on pki/intermediate/generate/internal #34

Closed mbrancato closed 4 years ago

mbrancato commented 4 years ago

PROBLEM SUMMARY

Roots and Intermediates normally do not have a DNS-based Common Name. When the plugin is loaded and a default policy created, the default policy is being enforced on pki/intermediate/generate/internal preventing creation of the proper CA.

STEPS TO REPRODUCE

mount the plugin, write a default policy (we're using a strict policy and assigning specific policies to each zone / role), attempt to generate an intermediate CA CSR.

EXPECTED RESULTS

CSR generated

ACTUAL RESULTS

the vault write complains that the generated certificate doesn't match the regular expressions from the default policy.

ENVIRONMENT DETAILS

v0.6.0

COMMENTS/WORKAROUNDS

The only work around I can think of is to temporarily change the policy on the zone used for the default policy, generate the CSR, then change the zone and policy back.

mr-tron commented 4 years ago

Are you sure that problem is in common name? We don't check common name for root and intermediate CAs. But we still check key type and size, Organization, Locality and over. I tried

$ vault write pki-monitor/intermediate/generate/internal  common_name="Intermediate Authority" ttl=43800h \
organization="Venafi Inc." ou="Integration" locality="Salt Lake" \
  province="Utah" country="US"

Key    Value
---    -----
csr    -----BEGIN CERTIFICATE REQUEST-----
MIICwjCCAaoCAQAwfTELMAkGA1UEBhMCVVMxDTALBgNVBAgTBFV0YWgxEjAQBgNV
.... blah-blah...
ayFRErPYGmyVvldG5F7a9DARpmQohaTvAf8SEiOma4qKbLrrcso=
-----END CERTIFICATE REQUEST-----

And with invalid Organization:


$ vault write pki-monitor/intermediate/generate/internal  common_name="Intermediate Authority" ttl=43800h 

Error writing data to pki-monitor/intermediate/generate/internal: Error making API request.

URL: PUT https://localhost:44300/v1/pki-monitor/intermediate/generate/internal
Code: 400. Errors:

* Organization [] doesn't match regexps: [^Venafi Inc\.$]

mr-tron commented 4 years ago

Or maybe you can give full commands list (without passwords of course) and zone configuration. If you don't want to public this information here you can send it to opensource@venafi.com

tr1ck3r commented 4 years ago

@mbrancato are you still running into challenges with this? As @mr-tron said, our design requirement was to exempt the CN of the CA certificate from the Venafi policy but we are enforcing compliance for the remainder of the Subject DN since it is used to identify the business entity. I could be convinced that we should also be exempting the OU but you didn't indicate it was a problem for you.

mbrancato commented 4 years ago

I'm going to close this. We were able to generate a CSR with all the policy fields except CN. This worked for us.