Signing a CSR throws 403

Vault
1

Hi,

I am new to HashiCorp Vault v.1.17.5 ->PKI and currently performing a POC for issuing Certs.

I am able to invoke POST /v1/:/issue/ and I obtain a cert with its chain & Private key.

However, the Private Key needs to remain on the issuer’s side and never be shared, hence thinking of using:

POST /v1/:/sign/ with payload :
“csr”:“-----BEGIN CERTIFICATE REQUEST-----

-----END CERTIFICATE REQUEST-----”,
“common_name”: “example.com” .

This throws 403 Forbidden & “errors”: [ “permission denied”]

My policy contains:

path “/" {
capabilities = [ “create”, “read”, “update”, “list” ]
}
path "/sign/” {
capabilities = [“create”, “update”]
}
path “/certs/” {
capabilities = [“list”]
}

I have come across Can't configure policy for signing certificates · Issue #4347 · hashicorp/vault · GitHub & tried the workaround, to no avail (I have even tried calling the sign API with a Root token).

Any tip/workaround/fix would be highly appreciated.

Thanks,
Regards,

2

Have you reviewed this tutorial yet?

3

So /issue/ will always generate everything. The /sign/ requires the client ( requestor ) to submit the CSR, so the key is generated outside of vault. Typically, you have a system that can use some other method of authentication to vault, so it can self generate and submit.

The way you are talking - that the key stays with the issuer ( ie: vault ? ). I’m not certain what your use case is, but typically someone needs both keys to encrypt and decrypt - even a throw away key for signatures, you need the private key.