We have dynamically generated PKI path with a date.
Format: pki-{dd/mm/yy}
I want to issue a certificate for the role ‘test’ against the dynamically date-based pki path
I want to have a policy like:
path “pki-*/issue/test” {
capabilities = [“update”]
}
I am not able to achieve this, is there a way to define policy for the above requirement without providing access to all paths?
No, it is not possible.
However, if you changed your PKI mounts to instead be at pki/ddmmyy instead, you could use
path "pki/+/issue/test" {
using the + wildcard for any one whole path segment.
There is no way to map that to a policy. You can convert it to path based and use + as a wildcart for one path element.
Not a big deal but let’s just mention it for anyone who has resource constraints. Remount an engine over and over and over again is not a good idea and against best practice. It also possible that it’ll makes a complete mess of you policies. Mount the engine once and use paths under it. There are use cases for mounting the engine multiple times, for example, if you need different parameters for different purposes, but 99% of the time just use one mount.