auth_keys are ignored on http endpoints?

[jameshartig]

config:

{
    "signing": {
        "default": {
            "usages": [
                "signing",
                "key encipherment",
                "client auth"
            ],
            "auth_key": "supersecretkey",
            "expiry": "26280h"
        },
        "profiles": {
            "server": {
                "usages": [
                    "signing",
                    "key encipherment",
                    "server auth"
                ],
                "expiry": "43800h"
            }
        }
    },
    "auth_keys": {
        "supersecretkey": {
            "type": "standard",
            "key": "0123456789ABCDEF0123456789ABCDEF"
        }
    }
}

But when I make a request to /api/v1/cfssl/newcert (without a profile) it allows me to create a certificate without passing the key. I also don't see how I would even pass it in api.txt. From the blog post about cfssl it says:

We also added an authentication key to this signing policy. This authentication key should be randomly generated and kept private. The API key is a basic authentication mechanism that prevents unauthorized parties from requesting certificates.

Am I misunderstanding how this works?

[kisom]

The auth feature was mostly designed for CFSSL instances interacting with the multirootca, but the cfssl server doesn't have an authenticated newcert endpoint for local signatures. This is something we're thinking about the best way to implement.

[jimmypw]

Is there an update for this? I was planning to use this tool but this bug is a show stopper.

[malikkal]

I would like to use auth_keys work with /api/v1/cfssl/newcert too. is this planned in an upcoming release? Thanks

[mattpallissard]

This is a real problem and prevents us from adopting cfssl.