We’re trying to use Vault 1.10’s PKI secret backend as the CA for a CockroachDB cluster (initially.) We’re able to get the CA set up with an offline root, and get certificates distributed to the Cockroach nodes, but they then refuse to connect with each other because “certificate specifies an incompatible key usage”
This was confusing, because we’d specified exactly the same set of usages as the original set of certs (that were being signed via the Kubernetes CSR process, which won’t work for us under K8s 1.22).
What we found was: https://cs.opensource.google/go/go/+/master:src/crypto/x509/verify.go;l=1118-1170;drc=8c8429fe4113b399355c11203e60e6b37bc823ba which is being used by CockroachDB (and most grpc in Go) - that Go verifies that the whole chain either has no extended usages, or provides for the requested usage.
What we further found is that the CSR generated by Vault is adding
X509v3 Extended Key Usage:
OCSP Signing
which is generally legitimate, can’t be verified by Go in this case.
I found this old issue on the Vault repo Extended Key Usage: incompatible key usage · Issue #846 · hashicorp/vault · GitHub that seems to touch on our problem. However, the change that seems to have fixed it there is no longer part of the codebase.
Is there a way to change the CSR generated by Vault, or else modify the intermediate CSR before we sign it?