Pki, unsupported extension DigitalSignature + CRL

Joffrey · October 16, 2023, 8:25am

Hi,

I generated a CSR :

resource "vault_pki_secret_backend_intermediate_cert_request" "intermediate_serv_maq" {
  depends_on            = [vault_mount.intermediate_serv_maq]
  backend               = vault_mount.intermediate_serv_maq.path
  type                  = "internal"
  common_name           = "Vault Intermediate Certificate Authority"
  key_type              = "rsa"
  key_bits              = "4096"
  ou                    = "maq"
  organization          = "XXX"
  country               = "XX"
  locality              = "XXX"
  province              = "MM"
  add_basic_constraints = true
}

Signed with my offline CA and imported the Certificate. But, in the the UI - View Issuer Certificate, in the bottom, I can read:
“Parsing error(s): certificate contains unsupported extension OIDs: 2.5.29.31, unsupported key usage value on issuer certificate: DigitalSignature”

So,
DigitalSignature is in the default option Key_usage: PKI - Secrets Engines - HTTP API | Vault | HashiCorp Developer
How can it be unsupported ??

And 2.5.29.31, it’s the CRL Distribution Points. How can it be unsupported ??

Thanks you

hannes · March 21, 2024, 10:32am

Did you find out what the problem was?
I am in a similar situation where a locally created certificate imported into vault leads to “Parsing error(s): certificate contains unsupported extension OIDs: 2.5.29.31”

Joffrey · March 27, 2024, 9:46am

Hi, no, I removed this extension

Topic		Replies	Views
Vault PKI issue Sub.Internediate/Issuer CA certificate Vault	1	1188	September 18, 2020
PKI Engine - CRLNumber + Reason Vault	6	1207	November 7, 2019
Unable to access CRL for intermediate-only CA Vault	1	1098	April 5, 2023
Vault PKI engine: Signed certificate does not have extensions Vault	3	576	December 23, 2022
Vault PKI Cert secret Engine unable to import or upload PEM certficate Vault	1	1063	November 4, 2022

Pki, unsupported extension DigitalSignature + CRL

Related topics