terraform-provider-vault icon indicating copy to clipboard operation
terraform-provider-vault copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

[Bug]: Intermediate CA incorrect max_path_length being set

Open edas-smith opened this issue 2 years ago • 0 comments

Terraform Core Version

1.4.6

Terraform Vault Provider Version

3.21.0

Vault Server Version

1.15.0

Affected Resource(s)

resource "vault_pki_secret_backend_root_sign_intermediate"

Expected Behavior

When running the command : openssl x509 -in intermediateCA.crt -noout -text against the newly created & imported Intermediate certificate, I expect this : X509v3 Basic Constraints: critical CA:TRUE, pathlen:0

Worth noting that my Root CA has a max_path_length of 2

Actual Behavior

But instead, I get this : X509v3 Basic Constraints: critical CA:TRUE, pathlen:1

Seems like when you set the max_path_length to 0, it is ignored and set to 1.

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

I have the below resource block, which is used to sign a CSR for an Intermediate CA : resource "vault_pki_secret_backend_root_sign_intermediate" "this" { backend = var.root_ca_engine_path csr = vault_pki_secret_backend_intermediate_cert_request.this.csr common_name = var.intermediate_ca_common_name max_path_length = var.intermediate_ca_max_path_length use_csr_values = true }

The max_path_length variable looks like this : variable "intermediate_ca_max_path_length" { description = "Specifies the max path_length of the Intermediate CA" type = number default = 0 }

Worth noting that this is a snippet of the configuration, but should be sufficient to attempt to re-produce/investigate.

Steps to Reproduce

Attempt to use the resource : resource "vault_pki_secret_backend_root_sign_intermediate"

To sign an intermediate with a Root CA. Make sure to test the max_path_length of this resource to 0 & the Root CA to 2.

Debug Output

N/A

Panic Output

N/A

Important Factoids

Nothing out of the ordinary.

Any additional information in regards to the below / or if I am missing something would be greatly appreciated. I am experimenting with a PKI structure of : Root CA -> Intermediate CA -> Client Cert

References

No response

Would you like to implement a fix?

No

edas-smith avatar Oct 20 '23 09:10 edas-smith