We are using the PKI engine in Vault, and would be interested in having our roles forcibly add or set certain parameters (in particular common_name and SANs in this case).
Ideally, we would have the requesting app simply ask to issue a certain role and have Vault issue a Cert with certain pre-defined values. To the best of my ability, I’ve been unable to figure out how to make that work. The pki’s role configuration doesn’t seem to have a setting like “override/set common name to X” or “add SANS x, y, and z to the cert”.
Right now the requestor seems to have to know what policies they must request to get a valid cert to issue, and it’s not exhaustive. (The request be missing certain important SANs and not realize it).
A developer requests for a cert from a role without any parameters.
The PKI role sets the common_name as the identity’s email address.
The PKI role sets SANs for the identity.id and some additional special app-specific values (think SPIFFE) entries.
Developer receives a fully-specified cert with out having to know or replicate all the special values the role specifies.