Skip to content

The Generate root API doesn't consider changes of field key_usage #29362

@krzysztof-dziadziak

Description

@krzysztof-dziadziak

Describe the bug
While creating root certificate I parameterize it with the field key_usage DigitalSignature but it doesn't appear in certificate.

To Reproduce
Steps to reproduce the behavior:

  1. Run vault secrets enable -path=a pki
  2. Run vault secrets tune -max-lease-ttl=87600h a
  3. Run vault write a/root/generate/exported common_name="cn" key_type=rsa key_bits=4096 key_usage="DigitalSignature" ttl=87600h dummy_key="dummy_value" ou="outest" country="PL" private_key_format=pem format=pem; Setting key_usage field to empty string also doesn't have any effect on the generated certificate
  4. Run openssl x509 -in a.crt -text -noout as the X509v3 Key Usage: critical shows only Certificate Sign, CRL Sign; UI shows the same values; Organizational units and Country are set properly
 X509v3 extensions:
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier: 
                A2:CD:D5:5D:36:5B:3C:09:31:18:40:DD:8E:9B:AA:C5:BD:AC:D9:FD
            X509v3 Authority Key Identifier: 
                A2:CD:D5:5D:36:5B:3C:09:31:18:40:DD:8E:9B:AA:C5:BD:AC:D9:FD

Expected behavior
I expect that the newly issued certificate will have at least the key_usage defined as the one which I requested.

 X509v3 extensions:
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign, DigitalSignature
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier: 
                A2:CD:D5:5D:36:5B:3C:09:31:18:40:DD:8E:9B:AA:C5:BD:AC:D9:FD
            X509v3 Authority Key Identifier: 
                A2:CD:D5:5D:36:5B:3C:09:31:18:40:DD:8E:9B:AA:C5:BD:AC:D9:FD

Environment:

  • Vault Server Version (1.18.3):
  • Vault CLI Version (Vault v1.18.3 (7ae4eca), built 2024-12-16T14:00:53Z):
  • Server Operating System/Architecture: WSL/Ubuntu-24.04

Vault server configuration file(s):

Default, out of the box set up run within vault server -dev

The field in the documentation - https://developer.hashicorp.com/vault/api-docs/secret/pki#key_usage-2

Metadata

Metadata

Assignees

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions