Add warning on keyless default issuer

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
hashicorp · Apr 26, 2022 · 79d5bf9 · 79d5bf9
1 parent a12457f
commit 79d5bf9
Showing 1 changed file with 16 additions and 5 deletions.
diff --git a/builtin/logical/pki/path_config_ca.go b/builtin/logical/pki/path_config_ca.go
@@ -83,16 +83,27 @@ func (b *backend) pathCAIssuersWrite(ctx context.Context, req *logical.Request,
 		return logical.ErrorResponse("Error resolving issuer reference: " + err.Error()), nil
 	}
 
+	var response = &logical.Response{
+		Data: map[string]interface{}{
+			"default": parsedIssuer,
+		},
+	}
+
+	entry, err := fetchIssuerById(ctx, req.Storage, parsedIssuer)
+	if err != nil {
+		return logical.ErrorResponse("Unable to fetch issuer: " + err.Error()), nil
+	}
+
+	if len(entry.KeyID) == 0 {
+		response.AddWarning("This issuer has no key associated with it. Some operations like issuing certificates and signing CRLs will be unavailable with the requested default issuer.")
+	}
+
 	err = updateDefaultIssuerId(ctx, req.Storage, parsedIssuer)
 	if err != nil {
 		return logical.ErrorResponse("Error updating issuer configuration: " + err.Error()), nil
 	}
 
-	return &logical.Response{
-		Data: map[string]interface{}{
-			"default": parsedIssuer,
-		},
-	}, nil
+	return response, nil
 }
 
 const pathConfigIssuersHelpSyn = `Read and set the default issuer certificate for signing.`