Vault's PKI signed certificate contains redundant Extended Key Usage claims

[tomaszkrzyzanowski]

Describe the bug Vault's signed certificates are incompatible with Notary V2 notation CLI, because they contain redundant Extended Key Usage (later EKU) claims:

• TLS Web Server Authentication
• TLS Web Client Authentication

Notation requires certificates to have only Digital Signature key usage and no other KeyUsage/EKU enabled.

To Reproduce Steps to reproduce the behavior:

1. Enable pki engine
2. Create issuer in UI (root CA, internal, CN=foo.tld, name foo, key rsa2048, valid 365 days)
3. Create pki role in UI
   • name: foo
   • ttl 30 days
   • allowed domains: foo.tld (Domain Handling)
   • checked allow Bare domains (Domain Handling)
   • checked allow subdomains (Domain Handling)
   • key parameters: rsa 2048
   • checked Digital Signature(Key usage)
   • IMPORTANT: Uncheck all other Key usage and Extended Key Usage checkboxes)
   • Other fields unchanged
4. Generate certificate with PKI role
   • Common Name: signed.foo.tld
5. Save certificate to file
6. Get details of certificate with command: openssl x509 -in <CERTFILE-NAME>.pem -text
7. The certificate have enabled unnecessary EKUs

   Certificate:
   Data:
       Version: 3 (0x2)
       Serial Number:
           1d:b4:7a:65:c2:28:23:2e:ce:08:98:79:55:74:db:95:5e:7e:5d:80
       Signature Algorithm: sha256WithRSAEncryption
       Issuer: CN=foo.tld
       Validity
           Not Before: Mar  8 15:47:19 2024 GMT
           Not After : Mar  9 15:47:49 2024 GMT
       Subject: CN=signed.foo.tld
       Subject Public Key Info:
           Public Key Algorithm: rsaEncryption
               Public-Key: (2048 bit)
               Modulus:
                   00:bb:(...)
                   8d:99
               Exponent: 65537 (0x10001)
       X509v3 extensions:
           X509v3 Key Usage: critical
               Digital Signature
           X509v3 Extended Key Usage: 
               TLS Web Server Authentication, TLS Web Client Authentication
           X509v3 Subject Key Identifier: 
               B4:69:0C:31:18:B1:6D:DD:5F:F0:31:1A:E7:B1:7F:74:87:02:82:57
           X509v3 Authority Key Identifier: 
               D4:EE:B4:1E:23:2E:A5:1C:A1:2F:03:D8:CD:AC:BA:08:73:FD:15:E6
           X509v3 Subject Alternative Name: 
               DNS:signed.foo.tld
   Signature Algorithm: sha256WithRSAEncryption
   Signature Value:
       74:(...)
   -----BEGIN CERTIFICATE-----
   MIIEQ...
   -----END CERTIFICATE-----

Expected behavior Certificate signed with Vault's managed CA, without any unselected EKUs

Environment:

• Vault Server Version (retrieve with vault status): 1.15.6
• Vault CLI Version (retrieve with vault version): v1.15.4 (9b61934559ba31150860e618cf18e816cbddc630), built 2023-12-04T17:45:28Z
• Server Operating System/Architecture: MBP M2 Pro arm64 Sonoma 14.3

Vault server configuration file(s):

No files, plain dev server ran on docker

Additional context CSR without the EKUs, after signing with Vault role contain mentioned EKUs as well

[vhdumann]

I had the same problem and followed the solution mentioned here from https://github.com/openbao/openbao/issues/217. By using vault read pki-int/role/testing | grep '_flag' you can see the "hidden" flags. They set them via patch, which vault doesn't seem to support. But using vault write pki-int/roles/testing <arguments> works. As this overrides the role instead of updating the existing values you have to set every non-default value in the write request.

I was then able to create certificates without redundant EKUs.

[stevendpclark]

Hi @tomaszkrzyzanowski,

This is a limitation as mentioned in the UI for PKI, with additional _flags values from the role needing to be disabled if you solely want the DigitalSignature EKU to be set.

Vault does support the patch command, to update only specific values of a role as mentioned in the api-docs

$ vault read pki/roles/foo | grep _flag
client_flag                           true
code_signing_flag                     false
email_protection_flag                 false
server_flag                           true

$ vault patch pki/roles/foo server_flag=false client_flag=false

$ vault read pki/roles/foo | grep _flag
client_flag                           false
code_signing_flag                     false
email_protection_flag                 false
server_flag                           false