vcert icon indicating copy to clipboard operation
vcert copied to clipboard

Published 20 hours ago verified publisher icon Venafi

CustomFields are not supported with ImportCertificate

Open maelvls opened this issue 3 years ago • 5 comments

I use the ImportCertificate function with the latest version of vcert (v4.15.2, 171269e) to import certificates into TPP. I wish to add "custom fields" to the certificates in order to identify them (also called "Attributes" in the "Support" tab in Venafi TPP).

My call to ImportCertificate looks like this:

tpp.ImportCertificate(&ImportRequest{
	// ...
	CustomFields: []certificate.CustomField{
		{Type: certificate.CustomFieldOrigin, Value: "my-tool"},
		{Type: certificate.CustomFieldPlain, Name: "Cluster", Value: "foo"},
	}
})

It seems like only the Origin field gets added to TPP. The other "plain" fields don't.

Under the hood, ImportCertificate does 4 HTTP requests:

Screenshot from 2021-11-09 14-33-31

The last one is the faulty one. As you can see, only the Origin field is set:

Screenshot from 2021-11-09 14-33-47

maelvls avatar Nov 09 '21 13:11 maelvls

Digging into vcert, it seems like the TPP implementation of ImportCertificate discards any custom field that has not the Origin type:

https://github.com/Venafi/vcert/blob/0645745c0c8c5800811b5a6b200cfb9bef30a32a/pkg/venafi/tpp/connector.go#L1253-L1258

Is that intended?

maelvls avatar Nov 09 '21 13:11 maelvls

@maelvls Yes, you're right this would be an enhancement. We've actually never previously had anyone express interest in Custom Field support for the import use case and since TPP currently lacks that support in the POST /vedsdk/certificates/import API endpoint adding it would be quite expensive from the standpoint of the number of API calls required. Since Custom Fields in TPP can be applied by policy (and inherited by certificates) and import typically targets a single policy folder (zone), I suspect that is how customers have been getting the Custom Field assignments if they require it.

tr1ck3r avatar Nov 09 '21 18:11 tr1ck3r

Added https://community.venafi.com/ideas/custom-field-support-for-post-vedsdk-certificates-import-1017

tr1ck3r avatar Nov 09 '21 18:11 tr1ck3r

Thanks for creating this feature request in community.venafi.com/ideas! Unfortunately, I don't have access to it :disappointed: I have requested access to Venafi Warrior Community ~but Venafi support needs approval~ Jetstack employees aren't allowed yet.

Do you think this link can be accessed by the community?

maelvls avatar Nov 10 '21 11:11 maelvls

The link should be accessible to all current Venafi customers. It has not yet been opened up to all internal departments but I believe that is the end goal.

tr1ck3r avatar Nov 10 '21 16:11 tr1ck3r