Hello there,
I am getting into Vault and having to work with the PKI secret engine. Working with a bash script I have found ways around this issue but now I am trying to test handling CA rotation inside of Terraform this issue is causing me some issues and I want to try and understand why what I would consider to be a fairly simple feature is not actually available in the API, and by extension, the Terraform provider for Vault.
I am working through examples with a three-tier CA using openssl to mimic an external offline root CA, a root namespace hosting a PKI mount to act as an intermediate, and then I will have child issuing intermediate CAs in namespaces.
When using /pki/intermediate/set-signed an issuer is created for the intermediate and also one for the root that is in my pem bundle. These are exposed via imported_issuers in the response, and also mapping which I can use in bash as the key without a blank value is (seems to be anyway) the new intermediate but this is not exposed in Terraform. My issue here is trying to understand if there’s a good reason why this new issuer ref isn’t returned as a standalone value which you can then use in further calls such as setting an issuer name, passing it into defaults of roles, etc.?
And if there’s a good reason for that, then is there also a good reason for why the UI will happily display the original CN used for the pki/intermediate/generate but I cannot seem to expose this when I return all the issuers to try and figure out the new one that has been added?
I’d really appreciate some insight into this in case I am missing something really obvious (both in bash or in Terraform) that will allow me to continue and figure out a good rotation practice for the 2nd and 3rd tier intermediates, and if there is no actual good reason then put in a request for this feature to be added.
Thanks for reading and I look forward to your replies.