Pki, unsupported extension DigitalSignature + CRL


I generated a CSR :

resource "vault_pki_secret_backend_intermediate_cert_request" "intermediate_serv_maq" {
  depends_on            = [vault_mount.intermediate_serv_maq]
  backend               = vault_mount.intermediate_serv_maq.path
  type                  = "internal"
  common_name           = "Vault Intermediate Certificate Authority"
  key_type              = "rsa"
  key_bits              = "4096"
  ou                    = "maq"
  organization          = "XXX"
  country               = "XX"
  locality              = "XXX"
  province              = "MM"
  add_basic_constraints = true

Signed with my offline CA and imported the Certificate. But, in the the UI - View Issuer Certificate, in the bottom, I can read:
“Parsing error(s): certificate contains unsupported extension OIDs:, unsupported key usage value on issuer certificate: DigitalSignature”

DigitalSignature is in the default option Key_usage: PKI - Secrets Engines - HTTP API | Vault | HashiCorp Developer
How can it be unsupported ??

And, it’s the CRL Distribution Points. How can it be unsupported ??

Thanks you

1 Like