Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update CA Chain to report entire chain #15155

Closed
wants to merge 1 commit into from
Closed

Update CA Chain to report entire chain #15155

wants to merge 1 commit into from

Conversation

cipherboy
Copy link
Contributor

This merges the ca_chain JSON field (of the /certs/ca_chain path) with
the regular certificate field, returning the root of trust always. This
also affects the non-JSON (raw) endpoints as well.

We return the default issuer's chain here, rather than all known issuers
(as that may not form a strict chain).

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

@cipherboy
Update CA Chain to report entire chain
8adcbef 
This merges the ca_chain JSON field (of the /certs/ca_chain path) with
the regular certificate field, returning the root of trust always. This
also affects the non-JSON (raw) endpoints as well.

We return the default issuer's chain here, rather than all known issuers
(as that may not form a strict chain).

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
@stevendpclark
Copy link
Contributor

Note: we will need to address the comment within the Vault documentation about this not returning the full chain and to use pki/cert/ca_chain ca_chain field https://www.vaultproject.io/api-docs/secret/pki#read-ca-certificate-chain

@cipherboy
Copy link
Contributor Author

cipherboy commented Apr 26, 2022
edited

Yeah, that's a good point. There's a lot of docs that will need to be updated. :-)

Edit: Thanks Steve, merging!

@cipherboy cipherboy closed this Apr 26, 2022
@cipherboy cipherboy deleted the cipherboy-ca-chain-fixes branch May 17, 2022 14:33
@maxb maxb mentioned this pull request Jun 18, 2022
Closed
@cipherboy
Copy link
Contributor Author

This PR was merged in #15277. See that PR and the relevant docs PR #15238 for more information about this change.

@epieddy
Copy link

epieddy commented Jul 15, 2022

Hello, I'm using vault 1.11.0 and this is still not working : when I issue a certificat from an intermediate CA, the field ca_chain in the json response contains only the intermediate CA, not the root CA

@epieddy
Copy link

epieddy commented Jul 15, 2022

Hello, I'm using vault 1.11.0 and this is still not working : when I issue a certificat from an intermediate CA, the field ca_chain in the json response contains only the intermediate CA, not the root CA

My bad, you need to upload the full chain (intermediate CA + root CA) when you upload the signed intermediate CA with set-signed (#2075 (comment))

@cipherboy
Copy link
Contributor Author

@epieddy As a note, you can generically import chain certificates now in Vault 1.11.0; see: https://www.vaultproject.io/api-docs/secret/pki#import-ca-certificates-and-keys

LukasAuerbeck added a commit to youniqx/heist that referenced this pull request May 8, 2023
@LukasAuerbeck
test: fix vault pki test cases
f3fe6b0 
Since vault version 1.11.0 the full CA chain is returned for signed
certs: hashicorp/vault#15155 (while the PR is
closed the behaviour was still merged, see note hashicorp/vault#15155 (comment)).

Signed-off-by: LukasAuerbeck <17929465+LukasAuerbeck@users.noreply.github.com>
LukasAuerbeck added a commit to youniqx/heist that referenced this pull request May 8, 2023
@LukasAuerbeck
test: fix vault pki test cases
f9efafe 
Since vault version 1.11.0 the full CA chain is returned for signed
certs: hashicorp/vault#15155 (while the PR is
closed the behaviour was still merged, see note hashicorp/vault#15155 (comment)).

Signed-off-by: LukasAuerbeck <17929465+LukasAuerbeck@users.noreply.github.com>
LukasAuerbeck added a commit to youniqx/heist that referenced this pull request May 8, 2023
@LukasAuerbeck
test: fix vault pki test cases
4354931 
Since vault version 1.11.0 the full CA chain is returned for signed
certs: hashicorp/vault#15155 (while the PR is
closed the behaviour was still merged, see note
hashicorp/vault#15155 (comment)).

Signed-off-by: LukasAuerbeck <17929465+LukasAuerbeck@users.noreply.github.com>
LukasAuerbeck added a commit to youniqx/heist that referenced this pull request May 8, 2023
@LukasAuerbeck
test: fix vault pki test cases
4386662 
Since vault version 1.11.0 the full CA chain is returned for signed
certs: #139 (while the PR is
closed the behaviour was still merged, see note
hashicorp/vault#15155 (comment)).

Signed-off-by: LukasAuerbeck <17929465+LukasAuerbeck@users.noreply.github.com>
LukasAuerbeck added a commit to youniqx/heist that referenced this pull request May 8, 2023
@LukasAuerbeck
test: fix vault pki test cases
baab525 
Since vault version 1.11.0 the full CA chain is returned for signed
certs: #139 (while the PR is
closed the behaviour was still merged, see note
hashicorp/vault#15155 (comment)).

Signed-off-by: LukasAuerbeck <17929465+LukasAuerbeck@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stevendpclark stevendpclark stevendpclark approved these changes

@kitography kitography Awaiting requested review from kitography

Assignees
No one assigned
Labels
pr/no-changelog secret/pki
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@cipherboy @stevendpclark @epieddy