Subject of CSR is not caried over to signed certificate

We are using vault with cert-manager.io which is creating CSRs and signing them in vault with a PKI role. For whatever reason, the CSR Subject is not becoming part of signed certificate. Steps to reproduce:

  1. Generate CSR
openssl req -nodes -newkey rsa:2048 -keyout example.key -out example.csr -subj "/C=GB/ST=London/L=London/O=Global Security/OU=IT Department/CN=example.com"
  1. Create json payload for PKI sign
CERTIFICATE=`cat example.csr | sed -z "s/\n/\\\\\n/g"`
JSON_SIGN="{\"csr\" : \"$CERTIFICATE\"}"
echo $JSON_SIGN
  1. Sign the CSR with vault. Set the X-Vault-Token header to valid token and change host/port to valid destination:
curl -X POST -H "Content-Type: application/json" -H "X-Vault-Request: true" -H "X-Vault-Token: <token>" http://localhost:8200/v1/pki/sign/example-dot-com --data "$JSON_SIGN" | jq -r '.data.certificate' | sed 's/\\n/\n/g' > ./certificate.crt
  1. Show the text of generated certificate
openssl x509 -in certificate.crt -noout -text

The x509 output contains Subject but it’s empty. It doesn’t contain anything from Subject given in CSR /C=GB/ST=London/L=London/O=Global Security/OU=IT Department/CN=example.com.
2022-09-18_21-50

The PKI role example-dot-com doesn’t contain any special settings. The vault log doesn’t show any warnings. Is it a misunderstanding from my side or a vault bug? What’s the sense of CSR Subject then?

Thx!

It’s been a while since I’ve used the PKI engine so my knowledge is a bit limited at the moment, but combing through the API docs I see a role option called use_csr_common_name, which defaults to true. Can you confirm whether that’s true or false for this particular role? If false, you would need to supply the subject name as part of the json body of your request. I’m not sure how it would behave if it’s set to false and the value not provided in the json body.

While I was playing around locally, the use_csr_common_name was set to false so didn’t needed to provide the CN via the PKI API. Have tried to enable it and changed the signing request to:

{
    "common_name": "example.com",
    "csr":"-----BEGIN CERTIFICATE REQUEST-----...."
}

The subject on the generated certificate changed, it contains now the CN = example.com.
2022-09-20_23-33

But yet not that what I would expect. Mean the original subject added while creating CSR:

/C=GB/ST=London/L=London/O=Global Security/OU=IT Department/CN=example.com

Guess I’ve found the place in code where it happens, it’s in the cert_util.go. It takes just the settings of the role, doesn’t care for the csr.Subject values like e.g. Organization, Country etc.

Checked also the git history of the file, it was like this for very long time (4y+). Looks like it was an intention to have it that way, it’s not a typo.

To better explain our intention. We’re using the PKI role to sign CSRs from various sources, it’s part of our mTLS infrastrucutre. The server is having a certificate and also the clients. The plan was to log out on server side the subject of client certificate to better identify who’s connecting. Looks like the most easy way is to add there the CN only and skip the idea of having full CSR subject.

Is the actual behavior what’s indicated will happen in the documentation?
If not it might be worth requesting the feature be implemented as described in the documentation or at least have the documentation updated to reflect actual behavior. If you’re using OpenSource then submit a GitHub issue, otherwise if you’re an Enterprise or HCP customer then open a support case.

1 Like