I need help with PKI templating

Vault
1

Hello

I am trying to set up Vault as a CA. I am trying to configure it such that a user can request certificates, but can only get certificates for their own name. As I understand the PKI engine supports templating for Allowed Domains. I have tried using {{identity.entity.metadata.username}} as the template, but so far it seems that despite the “Allow templates in allowed domains” flag being set, Vault does not seem to evaluate the template. (I have also set the template flag and template for the allowed SAN)
If I try to generate a certificate for a user, I get an error. When I try the literal string ’ {{identity.entity.metadata.username}} ’ it happily signs it.

Am I doing something wrong or should I report this as a bug?

screenshot_2023-06-14-090911_grim
screenshot_2023-06-14-090911_grim1262×948 47.5 KB

screenshot_2023-06-14-090841_grim
screenshot_2023-06-14-090841_grim931×380 21.7 KB

screenshot_2023-06-14-091007_grim
screenshot_2023-06-14-091007_grim743×234 8.62 KB

2

Try this, remove this entry {{identity.entity.metadata.username}}, and allow any domain and try to generate a cert.

3

Screenshots of the UI are generally bad for troubleshooting, as they are much harder for another person to independently reproduce the problem.

A script that can be run at the CLI is a lot better for allowing two people to confirm exactly the same steps were followed.

I tried out what you are reporting, and once I manually configured username metadata on my entity, it seemed to work fine:

vault secrets disable testpki

vault secrets enable -path=testpki pki

vault write "testpki/root/generate/internal" \
  common_name="Test CA" \
  ttl=365d

vault write "testpki/roles/example" \
  ttl=24h \
  allowed_domains='{{identity.entity.metadata.username}}' \
  allowed_domains_template=true \
  allow_bare_domains=true

vault write -format=json "testpki/issue/example" \
  common_name=maxb \
  > generated_example.cert.json

jq -r .data.certificate generated_example.cert.json | openssl x509 -noout \
  -nameopt oneline,dn_rev \
  -issuer \
  -subject \
  -serial \
  -dates \
  -ext subjectAltName

The certificate was issued as expected. Moreover, a certificate for {{identity.entity.metadata.username}} literally, was rejected, as it should be, when allowed_domains_template is turned on.