CA produce rsa when I try to create ecc key

Hello and happy new year to all of you! :fireworks:

I’m struggling with using Vault as a CA. I’m following this guide:

I first followed it by using the webui, my problem then was that the certificate was only valid for 24 hours and when I tried to change the TTL it complained about the expiration date for what I guess was the Intermediate CA.

I’m now trying to follow the CLI guide.
There are a few settings that I’d like to use:

  • 2 year lease
  • key_type=ec
  • key_byte=256

I’ve read up on the API options and RootCA and IntermediateCA seems to be configured correctly when I check in the webui.

What happens though is when I run

vault write pki_int/issue/my-role-name common_name="" alt_names=",," ttl="17520h"

it generates a 2048bit rsa certificate. What am I doing wrong?

This is how I’ve configured it

Mount & Configure RootCA

vault secrets enable -path=pki_ca pki
vault secrets tune \
-description="RootCA for my.domain" \
-default-lease-ttl=87600h \
-max-lease-ttl=87600h \
vault write -field=certificate pki_ca/root/generate/internal \
common_name="my.domain" \
key_type="ec" \
key_bits=256 \
ou="my.domain" \
organization="my.domain" \
country="SE" \
province="Stockholm" \

Configure the CA and CRL URLs

vault write pki_ca/config/urls \
issuing_certificates="" \

Mount & configure intermediate CA Engine

vault secrets enable -path=pki_int pki

Configure intermediate CA

vault secrets tune \
-description="Intermediate CA for my.domain" \
-default-lease-ttl=43800h \
-max-lease-ttl=43800h \

Generate CSR for intermediateCA

vault write -format=json pki_int/intermediate/generate/internal \
common_name="my.domain Intermediate Authority" \
| jq -r '.data.csr' > pki_intermediate.csr

Sign the CSR

vault write -format=json pki_ca/root/sign-intermediate csr=@pki_intermediate.csr \
format=pem_bundle ttl="43800h" \
| jq -r '.data.certificate' > intermediate.cert.pem
vault write pki_int/intermediate/set-signed certificate=@intermediate.cert.pem

Create role

vault write pki_int/roles/my-role-name \
allowed_domains="my.domain" \
allow_subdomains=true \
-ttl=17520h \
-max_ttl=17520h \
-key_type="ec" \
-key_bits=256 \
-ou="my.domain" \
-organization="my.domain" \
-country="SE" \
-province="Stockholm" \

Generate new cert

vault write pki_int/issue/my-role-name common_name="" alt_names=",," ttl="17520h"

This is what openssl says about the new certificate

Not Before: Jan 2 00:03:58 2022 GMT
Not After : Jan 2 00:04:27 2024 GMT
Subject: CN =
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)

Hi, in your copy/paste that creates the role you’ve got -key_type=“ec” , is that verbatim? There shouldn’t be a dash prefix on these attributes since configuration made with vault write consists of key-value pairs of data as opposed to the options that are parsed by the Vault CLI.

Geez, so simple, thanks @ulmwe! It worked. I suspected it was something simple.
I would have expected an error though if I passed wrong values, but hey, now it works :smiley:

Thanks again!