How can I solve the following problem?

URL: PUT http://localhost:8200/v1/gateways_pki/issue/cbiot.ca
Code: 400. Errors:

  • cannot satisfy request, as TTL would result in notAfter 2032-01-05T05:34:55.00356922Z that is beyond the expiration of the CA certificate at 2032-01-05T05:04:03Z

Looks like the cert to be issued has a default TTL that would exceed the expiration time of the Certificate Authorities certificate. You’d need to specify a shorter TTL that expires before the CA cert’s expiration date/time.

Certificates issued by Vault should be fairly short lived, ideally 90 days or less (unless you’re setting up an intermediate CA, I suppose), to avoid having to deal with large revocation lists.

1 Like

I want the certificates that are produced to be 10 years old. I use the following: I run the script.

vault secrets enable -path=gateways_pki pki

vault secrets tune -max-lease-ttl=87600h gateways_pki

vault write gateways_pki/root/generate/internal common_name=cbiot.ca ttl=87600h >  /dev/null 2>&1

vault write gateways_pki/config/urls issuing_certificates="http://127.0.0.1:8200/v1/gateways_pki/ca" crl_distribution_points="http://127.0.0.1:8200/v1/gateways_pki/crl"

vault write gateways_pki/roles/cbiot.ca allowed_domains=cbiot.ca allow_subdomains=true ttl=87599h

Sometimes it answers but sometimes it gives the above error
What do you suggest to have a 10-year certificate?

Is it possible that the time on the vault instance (or your client) is not setup correctly? If for some reason it’s reverting to 1980 or something that would break things.

Why are you throwing away your key file?

1 Like

Because I do not want to fall into the log terminal
What’s not good that goes back to 1980?

@mrbardia72 - Aram is asking whether you have verified that your Vault server’s clock and your client’s clock are in sync. If they aren’t that could be causing you some trouble.

You may need to either increase the generate/internal cert’s TTL or reduce the role’s TTL more. Once the generate/internal command is issued the TTL of 87600 starts counting down. Your issued certificates’ TTLs cannot exceed the expiration timestamp of your internal CA’s certificate. Every time you issue a new certificate you’ll need to use a shorter and shorter TTL.

For instance, if your CA cert expires at 2022-12-31T23:59:59, if you request a certificate to be signed that, given a default TTL, would result in an expiration time of 2023-01-01T00:00:00 or later then you would get an error like you’ve been receiving.

However, I still recommend using much shorter lived certificates to keep your CRL as small as possible. Tools such as VaultBot can help automate certificate renewal if that’s a concern for you.

1 Like

One question, how can I produce a 10-year certificate?
Because within the Walt documentation said 32 days
I want it to be 10 years or 5 years
What command do you suggest I use?
Is this possible?

Certificates that long aren’t recommended and aren’t a good fit for Vault.

You can get certificates which have longer expiries than 32 days by changing the TTL settings for the mount and ensuring any intermediate/root certs also have longer expiries.

However Vault is designed to handle systems which generate short lived credentials & certificates (on the order of hours and days rather than months and years). If you do have long lived certificates you can have issues with the size of the CRL. Disabling that removes a key protection (as you’d no longer be able to revoke a compromised certificate).

What are you trying to do that might need such a long certificate?

1 Like