Add Basic Constraints attribute to vault_pki_secret_backend_intermediate_cert_request

[tomwerneruk]

Community Note

• Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
• Please do not leave "+1" comments, they generate extra noise for pull request followers and do not help prioritize the request

Release note for CHANGELOG:

Updates `vault_pki_secret_backend_intermediate_cert_request` resource to include the `add_basic_constraints` argument. This adds extensions required when signing intermediate CSRs by Microsoft AD CS Root Authorities.

[keithmattix]

I'm running into this issue right now trying to use Google CAS as a root CA. Please add!

[hashicorp-cla]

All committers have signed the CLA.

[lipika-pal-partior]

can this be added please?

I'm using Google CAS as a root CA and running into this issue.

[vanveele]

What is holding up this PR?

[robmonte]

Hi @tomwerneruk Thanks for your contribution! Sorry its taken a bit of time to get to it. It seems there's some merge conflicts now since you first submitted this PR. I was wondering if you'd be able to update the feature branch to address these conflicts? If not, I can pick your commits into a new PR branch myself.

In the mean time, I'll begin reviewing and testing your submission!

[robmonte]

Closing now as the above PR has been merged!

[boeboe]

This would also fix an issue where the generated intermediate cert is used as root ca within an Istio cluster. It needs to be able to sign leaf certificates for workloads, which it cannot do without X509v3 Basic Constraint CA:TRUE