Previous intermediate certificate remains in CA chain

Vault
1

Hey all,

I recently rotated our intermediate certificates and have various questions about the behaviour Vault showed (or where we need to do differently). We have two intermediate PKI mounts (d1, d2) where d1 is the issuer for d2, and d2 issues certificates to all our services. The existing ‘default issuer’ d1 certificate (d1a) is expiring in a month. I created a new d1 certificate (d1b). I set d1b to be the new default issuer for d1. This worked fine - new d2 certificates (which are set as latest becomes default automatically) were correctly signed by d1b. However, the d2 ca_chain being supplied to our services (and viewable via vault read d2/cert/ca_chain) seem to continue including d1a, though unlinked / dangling. The chain read:

leaf cert → d2 cert → d1b cert →root cert → d1a cert!

SSL client dependent, some of our services seemed to complain about d1a being understandably out of place and un-referenced by other certs (many services remained healthy). I understand some SSL clients are clever enough / not strict and will resolve the correct chain, ignoring the extra certificate. Others won’t:

  • alert certificate unknown: SSL alert number 46
  • remote error: tls: unknown certificate authority
  • Cannot load CA certificate file ca.crt (only 3 of 4 entries were valid X509 names) ( - probably because d1a is duplicate common name)

Furthermore, when listing the issuers for d2, d1a was still in the list. So, I have the following questions:

  1. Does a PKI mount’s issuer list always include their parents automatically? Why is this? Surely a PKI mount’s issuers should be just the certs that issue at that level.
  2. Is the PKI mount’s issuer list actually used to create the chain (perhaps answering question above)? My understanding is the chain is resolved automatically inter-mount, or via manual_chain (which we don’t use), neither really needing to have parent issuers included in a mount.
  3. I’m quite confident in just deleting d1a. Do I delete it via d2 or d1? Is their a softer option to remove it from the chain (or would deleting it actually work)?

Any advice would be much appreciated! Thank you.