PKI - Issue with role and glob patterns

Hello everybody,

We are evaluating VAULT to store secrets in our company.
Our first use case for VAULT is to replace our current PKI with VAULT PKI engine.

We have spend hours to create a role which generate certificate for our webservers but it still doesn’t work as we expect

  1. Allow to generate certificate on allowed domains only (i.e. website.<allowed_domains>)
  2. Deny to generate certificate on subdomains (i.e. website.subdomain.<allowed_domains>)
  3. Deny to generate wildcard certificates on allowed domains (i.e. *.<allowed_domains>)

To meet our requirement, we set the role as follows

  • “Allow wildcard certificates” is set to FALSE
  • “Allow domains template” is set to FALSE
  • “Allow any name” is set to FALSE
  • “Enforce hostnames” is set to FALSE
  • “Allow IP Subject Alternative Names” is set to FALSE
  • “Require Common Name” is set to TRUE
  • “Use CSR Common Name” is set to TRUE
  • “Use CSR Subject Alternative Name” is set to TRUE
  • “Allow localhost” is set to FALSE
  • “Allow bare domains” is set to FALSE
  • “Allow subdomains” is set to FALSE
  • “Allowed_domains” is set to (‘’, ‘domain.local’)
    However we always get the message ‘common name is not allowed by this role’.
    We played with all options and we were able to generate certificate only by enabling either “Allow any name” or “Allow subdomains” options which doesn’t comply to our aforementionned requirements.

Using Digital Ocean tool, we even tried to set glob patterns: +(!(.))
Unfortunately, when we set the glob pattern in VAULT, it also fails to generate certificate (ie

I read in this forum that VAULT use a basic tool to evaluate CN against glob pattern and it may explains why it fails.

Can anyone help us to set role which meets our requirement?

1 Like

+1, we have the same, just slightly different, use-case and issue