Open tomaszkrzyzanowski opened 7 months ago
I had the same problem and followed the solution mentioned here from https://github.com/openbao/openbao/issues/217.
By using vault read pki-int/role/testing | grep '_flag'
you can see the "hidden" flags. They set them via patch
, which vault doesn't seem to support. But using vault write pki-int/roles/testing <arguments>
works. As this overrides the role instead of updating the existing values you have to set every non-default value in the write request.
I was then able to create certificates without redundant EKUs.
Hi @tomaszkrzyzanowski,
This is a limitation as mentioned in the UI for PKI, with additional _flags values from the role needing to be disabled if you solely want the DigitalSignature EKU to be set.
Vault does support the patch command, to update only specific values of a role as mentioned in the api-docs
$ vault read pki/roles/foo | grep _flag
client_flag true
code_signing_flag false
email_protection_flag false
server_flag true
$ vault patch pki/roles/foo server_flag=false client_flag=false
$ vault read pki/roles/foo | grep _flag
client_flag false
code_signing_flag false
email_protection_flag false
server_flag false
Describe the bug Vault's signed certificates are incompatible with Notary V2 notation CLI, because they contain redundant Extended Key Usage (later EKU) claims:
Notation requires certificates to have only Digital Signature key usage and no other KeyUsage/EKU enabled.
To Reproduce Steps to reproduce the behavior:
openssl x509 -in <CERTFILE-NAME>.pem -text
Expected behavior Certificate signed with Vault's managed CA, without any unselected EKUs
Environment:
vault status
): 1.15.6vault version
): v1.15.4 (9b61934559ba31150860e618cf18e816cbddc630), built 2023-12-04T17:45:28ZVault server configuration file(s):
No files, plain dev server ran on docker
Additional context CSR without the EKUs, after signing with Vault role contain mentioned EKUs as well