The Generate root API doesn't consider changes of field key_usage #29362
Description
Describe the bug
While creating root certificate I parameterize it with the field key_usage DigitalSignature but it doesn't appear in certificate.
To Reproduce
Steps to reproduce the behavior:
- Run
vault secrets enable -path=a pki - Run
vault secrets tune -max-lease-ttl=87600h a - Run
vault write a/root/generate/exported common_name="cn" key_type=rsa key_bits=4096 key_usage="DigitalSignature" ttl=87600h dummy_key="dummy_value" ou="outest" country="PL" private_key_format=pem format=pem; Setting key_usage field to empty string also doesn't have any effect on the generated certificate - Run
openssl x509 -in a.crt -text -nooutas theX509v3 Key Usage: criticalshows onlyCertificate Sign, CRL Sign; UI shows the same values; Organizational units and Country are set properly
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
A2:CD:D5:5D:36:5B:3C:09:31:18:40:DD:8E:9B:AA:C5:BD:AC:D9:FD
X509v3 Authority Key Identifier:
A2:CD:D5:5D:36:5B:3C:09:31:18:40:DD:8E:9B:AA:C5:BD:AC:D9:FD
Expected behavior
I expect that the newly issued certificate will have at least the key_usage defined as the one which I requested.
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign, CRL Sign, DigitalSignature
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
A2:CD:D5:5D:36:5B:3C:09:31:18:40:DD:8E:9B:AA:C5:BD:AC:D9:FD
X509v3 Authority Key Identifier:
A2:CD:D5:5D:36:5B:3C:09:31:18:40:DD:8E:9B:AA:C5:BD:AC:D9:FD
Environment:
- Vault Server Version (1.18.3):
- Vault CLI Version (Vault v1.18.3 (7ae4eca), built 2024-12-16T14:00:53Z):
- Server Operating System/Architecture: WSL/Ubuntu-24.04
Vault server configuration file(s):
Default, out of the box set up run within vault server -dev
The field in the documentation - https://developer.hashicorp.com/vault/api-docs/secret/pki#key_usage-2