PKI - How to set SANS

I have created a role like:

vault write pki/roles/2023-servers \
  allowed_domains="mydomain.local" \
  allowed_uri_sans="mydomain.local spiffe://*.mydomain.local" \
  allow_any_name=true \
  allow_ip_sans=true \ 
  allow_subdomains=true \
  allow_localhost=true \
  allow_bare_domains=true \
  allow_glob_domains=true \

and am trying to issue a certificate like such:

vault write pki_int/issue/mydomain-dot-local \
  common_name="*.mydomain.local" \

which gives me the following error:

subject alternate name mydomain.local not allowed by this role

What am I doing wrong?

You are mixing two different role names 2023-servers and mydomain-dot-local at different points in your example.

Comma separated, not space separated, input is expected here.

If you set allow_any_name, it’s kind of pointless setting many of the other more specific options.

Thanks! that was it. Been following the guide, but re-using the part to set up the root. Retrospectively, so obvious :smiley:

I specified all the options for debugging, since I couldn’t get it to work.

Thanks for pointing this out!