I’m following the Vault PKI documentation here:
https://developer.hashicorp.com/vault/api-docs/secret/pki#issuing-certificates
In the WebUI I create a role (role-client) and set the:
Additional Subject Fields -> Organization Units (OU)
with shell-style globbing, like this:
Company/Department/Office*
Then I try to issue a certificate with a custom OU, like for instance:
OU=Company/Department/Office01
I thought I’d be able to change the office number when I issue the certificate. The point is I cannot find any API or endpoint where to put the custom OU. I tried this:
payload.json
{
"common_name": "firstname.lastname",
"ou": "Company/Department/Office01",
}
curl \
--header "X-Vault-Token: ${VAULT_TOKEN}" \
--request POST \
--data @payload.json \
${VAULT_ADDR}/v1/pki/v1/issue/role-client
but I get a warning:
"warnings":["Endpoint ignored these unrecognized parameters: [ou]"]
Is there any way to define somewhere a custom specified OU when issuing a certificate?
I found that if I put the exact custom OU without globbing in the role, the certificate is issued with that correct OU in the subject. So, AS A PARTIAL SOLUTION, I have now a command PATCHING the role just before issuing the certificate. Something like this:
vault patch /v1/pki/v1/roles/role-client ou=Company/Department/Office01
Then I issue the certificate using the patched role and the custom OU goes into the subject, so that’s ok, but I’d like better a solution with the shell-style globbing. Any idea if this is possible? Thanks!