search

hashicorp / vault

A tool for secrets management, encryption as a service, and privileged access management
https://www.vaultproject.io/
Other
31.13k stars 4.21k forks source link

No way to generate PKI certificate without common name #8444

Closed jpds closed 4 years ago

jpds commented 4 years ago

Is your feature request related to a problem? Please describe.

I would like to generate a PKI client certificate without a common name, but using a serial number for its Subject.

The Create Role PKI endpoint supports settings require_cn to false, however the Generate Certificate endpoint used immediately after requires a common name

I would like to be able to do something like this instead:

vault write pki_int/roles/test \
    allowed_serial_numbers="e19b4a9182c85978"
    basic_constraints_valid_for_non_ca=true \
    client_flag=false \
    enforce_hostnames=false \
    key_type=rsa \
    key_bits=4096 \
    key_usage="DigitalSignature" \
    require_cn=false \
    server_flag=false \
        ttl="43800h"

vault write pki_int/issue/test \
    serial_number="e19b4a9182c85978" \
    exclude_cn_from_sans=true \
    ttl="43800h"

And only have a serialNumber and no CN in my certificate Subject.

catsby commented 4 years ago

Hello - could you share any error messages you're getting when you attempt these commands? Thanks!

raskchanky commented 4 years ago

Hi @jpds

We haven’t heard back from you on this for a while. I’m going to close this for now, but please feel free to re-open it with additional information!