-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update CA Chain to report entire chain #15155
Conversation
This merges the ca_chain JSON field (of the /certs/ca_chain path) with the regular certificate field, returning the root of trust always. This also affects the non-JSON (raw) endpoints as well. We return the default issuer's chain here, rather than all known issuers (as that may not form a strict chain). Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Note: we will need to address the comment within the Vault documentation about this not returning the full chain and to use pki/cert/ca_chain |
Yeah, that's a good point. There's a lot of docs that will need to be updated. :-) Edit: Thanks Steve, merging! |
Hello, I'm using vault 1.11.0 and this is still not working : when I issue a certificat from an intermediate CA, the field ca_chain in the json response contains only the intermediate CA, not the root CA |
My bad, you need to upload the full chain (intermediate CA + root CA) when you upload the signed intermediate CA with set-signed (#2075 (comment)) |
@epieddy As a note, you can generically import chain certificates now in Vault 1.11.0; see: https://www.vaultproject.io/api-docs/secret/pki#import-ca-certificates-and-keys |
Since vault version 1.11.0 the full CA chain is returned for signed certs: hashicorp/vault#15155 (while the PR is closed the behaviour was still merged, see note hashicorp/vault#15155 (comment)). Signed-off-by: LukasAuerbeck <17929465+LukasAuerbeck@users.noreply.github.com>
Since vault version 1.11.0 the full CA chain is returned for signed certs: hashicorp/vault#15155 (while the PR is closed the behaviour was still merged, see note hashicorp/vault#15155 (comment)). Signed-off-by: LukasAuerbeck <17929465+LukasAuerbeck@users.noreply.github.com>
Since vault version 1.11.0 the full CA chain is returned for signed certs: hashicorp/vault#15155 (while the PR is closed the behaviour was still merged, see note hashicorp/vault#15155 (comment)). Signed-off-by: LukasAuerbeck <17929465+LukasAuerbeck@users.noreply.github.com>
Since vault version 1.11.0 the full CA chain is returned for signed certs: #139 (while the PR is closed the behaviour was still merged, see note hashicorp/vault#15155 (comment)). Signed-off-by: LukasAuerbeck <17929465+LukasAuerbeck@users.noreply.github.com>
Since vault version 1.11.0 the full CA chain is returned for signed certs: #139 (while the PR is closed the behaviour was still merged, see note hashicorp/vault#15155 (comment)). Signed-off-by: LukasAuerbeck <17929465+LukasAuerbeck@users.noreply.github.com>
This merges the
ca_chain
JSON field (of the/certs/ca_chain
path) withthe regular
certificate
field, returning the root of trust always. Thisalso affects the non-JSON (raw) endpoints as well.
We return the default issuer's chain here, rather than all known issuers
(as that may not form a strict chain).
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>