vault icon indicating copy to clipboard operation
vault copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Allow old certs to be cross-signed

Open cipherboy opened this issue 1 year ago • 1 comments

In Vault 1.11, we introduced cross-signing support, but the earlier SKID field change in Vault 1.10 causes problems: notably, certs created on older versions of Vault (<=1.9) or outside of Vault (with a different SKID method) cannot be cross-signed and validated in OpenSSL.

In particular, OpenSSL appears to be unique in requiring a SKID/AKID match for chain building. If AKID and SKID are present on an otherwise valid client/parent cert pair and the values are different, OpenSSL will not build a valid path over those two, whereas most other chain validation implementations will.

Regardless, to have proper cross-signing support, we really aught to support copying an SKID. This adds such support to the sign-intermediate endpoint. Support for the /issue endpoint is not added, as cross-signing leaf certs isn't generally useful and can accept random SKIDs.

Resolves: #16461

Signed-off-by: Alexander Scheel <[email protected]>

cipherboy avatar Jul 28 '22 20:07 cipherboy

@dmitriy-moiseev -- do you want to test this to make sure this satisfies your use case? If you go to the GH test build -> summary page you can fetch a pre-built scratch binary if it is of interest.

cipherboy avatar Jul 29 '22 14:07 cipherboy

@kitography @stevendpclark -- updated!

cipherboy avatar Aug 01 '22 12:08 cipherboy