Description
The sign/pki/{role} endpoint signs certificates that exceed the role's max_ttl.
To Reproduce
- Setup a PKI with CA cert with
not_after in far future
- Create role with
max_ttl set
vault write pki/roles/tmp \
key_bits=384 key_type=ec key_usage=DigitalSignature
max_ttl=60d ttl=60d
- Request sign a CSR with
not_after parameter:
vault write pki/sign/tmp csr=@example.pem common_name=example.com not_after=2040-01-01T10:10:10Z
Expected behavior
The issued certificate has not_after = now() + 60d and warning like not_after is after the date permitted by maxTTL XXX, so maximum possible not_after ZZZ is being used.
This warning will be issued if TTL is supplied explicitely, e.g.:
vault write pki/sign/tmp csr=@example.pem common_name=example.com ttl=90d
It seems that the check in the code is simply not present for the not_after branch in builtin/logical/pki/issuing/issue_common.go L990.
If this is somehow expected behavior, I think it needs to be documented what function does max_ttl on the role serve. I would expect it is there to restrict the validity of issued certificates.
Environment:
Server version: Version 1.19.0
OS: Suse Leap 15.6 x86
Description
The
sign/pki/{role}endpoint signs certificates that exceed the role'smax_ttl.To Reproduce
not_afterin far futuremax_ttlsetnot_afterparameter:Expected behavior
The issued certificate has
not_after = now() + 60dand warning like not_after is after the date permitted by maxTTL XXX, so maximum possible not_after ZZZ is being used.This warning will be issued if TTL is supplied explicitely, e.g.:
It seems that the check in the code is simply not present for the
not_afterbranch inbuiltin/logical/pki/issuing/issue_common.goL990.If this is somehow expected behavior, I think it needs to be documented what function does
max_ttlon the role serve. I would expect it is there to restrict the validity of issued certificates.Environment:
Server version:
Version 1.19.0OS: Suse Leap 15.6 x86