PKI - How to set SANS

darkl0rd · February 7, 2023, 8:52pm

I have created a role like:

vault write pki/roles/2023-servers \
  allowed_domains="mydomain.local" \
  allowed_uri_sans="mydomain.local spiffe://*.mydomain.local" \
  allow_any_name=true \
  allow_ip_sans=true \ 
  allow_subdomains=true \
  allow_localhost=true \
  allow_bare_domains=true \
  allow_glob_domains=true \
  allowed_dns_sans="mydomain.local"

and am trying to issue a certificate like such:

vault write pki_int/issue/mydomain-dot-local \
  common_name="*.mydomain.local" \
  alt_names="mydomain.local"

which gives me the following error:

subject alternate name mydomain.local not allowed by this role

What am I doing wrong?

maxb · February 7, 2023, 9:53pm

You are mixing two different role names 2023-servers and mydomain-dot-local at different points in your example.

Comma separated, not space separated, input is expected here.

If you set allow_any_name, it’s kind of pointless setting many of the other more specific options.

darkl0rd · February 8, 2023, 6:24am

Thanks! that was it. Been following the guide, but re-using the part to set up the root. Retrospectively, so obvious

I specified all the options for debugging, since I couldn’t get it to work.

Thanks for pointing this out!

Topic		Replies	Views
Can't restrict subjectAltNames (SANs) emails in the PKI backend Vault	1	1395	December 6, 2019
PKI: In a role, how can I set/add certain cert fields as part of the issuance? Vault vault	0	301	August 4, 2022
Vault PKI role to limit CN/SANs to requesting user's identity Vault	2	1521	September 8, 2022
PKI Domain names / hostname and GLOB Vault vault	0	121	January 5, 2024
Basic vault PKI use case not working Vault vault	5	778	February 18, 2023

PKI - How to set SANS

Related topics