Open dannyleesmith opened 3 months ago
Hi @dannyleesmith,
Agreed, when importing multiple CAs through set-signed the response isn't the most helpful. Also the ordering within mapping
field should not be relied upon, there are quite a few layers of code that might in the future tweak the output of that map.
A few questions to start a discussion around this:
set-signed
calls with a single CA for each isn't workable solution? That would guarantee the id back with the current api. issuer_name
as an example upon import to avoid the need to update later on?Hi @stevendpclark,
Yes I had found the mapping
field to be unreliable so went through additional testing and that then led me to an answer that speaks to your first question.
set-signed
multiple times:
ca_chain
returned by pki/root/sign-intermediate
appears to be consistently in the same orderThanks for looking into this one.
Is your feature request related to a problem? Please describe. I am working on a project to automate CA rotation in PKI mounts. When using the
pki/intermediate/set-signed
endpoint the response generally looks like this:This output was for a newly signed certificate for an intermediate where the chain has not changed.
It is frustrating that of all the issuers returned (
imported_issuers
in this case was 1 in this case but would be more if it were the first time parent CA(s) were being imported) there is not a field to specify the one that is for the new intermediate. This is important because it is the one you might want to feed through to following commands to perform actions such as updating it to have a friendly name, make it the default issuer for a role, make it the default issuer for the mount, etc.Describe the solution you'd like What would be ideal is that
set-signed
could determine the issuer reference of all the returned issuers so it could be fed through to the following commands. Alternatively, if there is some sort of consistency to the returned values (for example ifimported_issuers
ormapping
can also be determined based on the input then this could be calculated.For example, in testing it seems that the
mapping
field has the keys returned in the order that a bundle was imported. For example, if I had a root, 2nd tier intermediate, and third tier intermediate, and I specifically built the PEM bundle to be in that order, the final key was the correct reference. If this is the case then a documentation update to make this clear that the order is always consistent would allow for those writing automation to ensure they have a consistent approach to building chains. Particularly if they only needed to ensure the final certificate was the new certificate that had just been signed.Describe alternatives you've considered An alternative was to take a read of all the existing keys before performing
set-signed
and then comparing that to a list after the fact. This worked most of the time but did not feel as consistent.Explain any additional use-cases The use cases above I feel cover the problem well.
Additional context No other context comes to mind but happy to field questions and provide what I can.