Skip to content

PKI sign not_after can exceed max_ttl #29928

Description

@rkapl

Description

The sign/pki/{role} endpoint signs certificates that exceed the role's max_ttl.

To Reproduce

  1. Setup a PKI with CA cert with not_after in far future
  2. Create role with max_ttl set
vault write pki/roles/tmp \
    key_bits=384 key_type=ec key_usage=DigitalSignature
    max_ttl=60d ttl=60d
  1. Request sign a CSR with not_after parameter:
vault write pki/sign/tmp csr=@example.pem common_name=example.com not_after=2040-01-01T10:10:10Z

Expected behavior
The issued certificate has not_after = now() + 60d and warning like not_after is after the date permitted by maxTTL XXX, so maximum possible not_after ZZZ is being used.

This warning will be issued if TTL is supplied explicitely, e.g.:

vault write pki/sign/tmp csr=@example.pem common_name=example.com ttl=90d

It seems that the check in the code is simply not present for the not_after branch in builtin/logical/pki/issuing/issue_common.go L990.

If this is somehow expected behavior, I think it needs to be documented what function does max_ttl on the role serve. I would expect it is there to restrict the validity of issued certificates.

Environment:
Server version: Version 1.19.0
OS: Suse Leap 15.6 x86

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions