How to upload CA bundle for vault-generated intermediate?

Here is my situation:

  • I generated a root CA managed externally from Vault with a PIV device
  • I generate an intermediate CA using the Vault API and obtain a CSR for the intermediate
  • I sign the intermediate with the root via the PIV (validate everything using openssl)

Now here is the issue… I can hit the set-signed endpoint in my pki with the certificate=@my_signed_intermediate.pem and that works, but now there is no full CA chain I can fetch from Vault that includes my external root CA.

I found this issue and specifically this comment that says:

" Yes – if you want the full CA chain output, you should upload the root cert along with the signed intermediate CA cert when you use set-signed ."

This implies uploading a completely generated external CA chain, where the intermediate is NOT generated from Vault.

When I try to perform the signing ceremony and do set-signed with the argument certificate=@full_ca_chain I am met with this error:

`Error writing data to pki/intermediate/set-signed: Error making API request.

URL: PUT https://vault.service.consul:8200/v1/pki/intermediate/set-signed
Code: 400. Errors:

  • verification of parsed bundle failed: certificate 1 of certificate chain ca trust path is incorrect (“Vault Intermediate CA”/“Ext ROOT CA”)`

My question: is there a way to tell vault what the full CA chain is for the internally generated CA?

OK, so looking at my particular version of vault I’m seeing this issue (1.2.2) I found this:

and the error amounts to this check failing:

if !bytes.Equal(certPath[i].Certificate.AuthorityKeyId, caCert.Certificate.SubjectKeyId) {
				return fmt.Errorf("certificate %d of certificate chain ca trust path is incorrect (%q/%q)",
					i+1, certPath[i].Certificate.Subject.CommonName, caCert.Certificate.Subject.CommonName)
			}

From what I can tell this is related to x.509 v3 extensions (because isn’t it always…) and poking around the int3rw3bz I stumbled on this page describing an issue with openssl.cnf defaults.

I’ll recreate my root and intermediate with these config suggestions and report back, hopefully with success, so anyone else having experienced a similar issue might learn from my experience, or at least they can be comforted they are not the only ones with this issue.

Tl;dr: Your signed Intermediate MUST include the extension X509v3 Authority Key Identifier (see RFC 5280 sec 4.2.1.1)

Well, that was my issue. Adding the following under the openssl config section for my v3 extensions for BOTH signing the root CA and the Vault-generated intermediate CA addressed my issue:

authorityKeyIdentifier = keyid

Again, the issue is outlined in part by https://www.v13.gr/blog/?p=293, but in my case it wasn’t how the extension was created, it was that my openssl config I used to sign the Intermediate (and root) omitted that extension entirely.

So basically I was signing the intermediate from Vault’s CSR without an X509v3 Authority Key Identifier extension which Vault flagged correctly as being un-verifiable.