Hi, I’m running Vault 1.12.1 and am hoping someone can clarify some behavior for me and perhaps tell me where I’m going wrong. I’m using the PKI secrets engine to host just an intermediate CA (root ca is stored offline), and am having some difficulties downloading the CRL.
If I run the following commands to setup a new intermediate CA, my curl commands fail returning no response, eg:
$ vault secrets enable -path=pki_test pki
Success! Enabled the pki secrets engine at: pki_test/
$ vault write pki_test/intermediate/generate/internal common_name=my-website.com ttl=8760h
WARNING! The following warnings were returned from Vault:
* This mount hasn't configured any authority information access (AIA)
fields; this may make it harder for systems to find missing certificates
in the chain or to validate revocation status of certificates. Consider
updating /config/urls or the newly generated issuer with this information.
Since this certificate is an intermediate, it might be useful to regenerate
this certificate after fixing this problem for the root mount.
* TTL "8760h0m0s" is longer than permitted maxTTL "768h0m0s", so maxTTL is
being o
Key Value
--- -----
csr -----BEGIN CERTIFICATE REQUEST-----
<snip>
-----END CERTIFICATE REQUEST-----
key_id 8e8294d0-2f20-6880-6bd2-275f308b6fa9
$ curl http://vault.shared.domain.com:8200/v1/pki_test/crl -v
* Trying 172.29.65.200...
* TCP_NODELAY set
* Connected to vault.shared.domain.com (172.29.65.200) port 8200 (#0)
> GET /v1/pki_test/crl HTTP/1.1
> Host: vault.shared.domain.com:8200
> User-Agent: curl/7.58.0
> Accept: */*
>
< HTTP/1.1 204 No Content
< Cache-Control: no-store
< Content-Type: application/pkix-crl
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< Date: Wed, 05 Apr 2023 10:56:38 GMT
<
* Connection #0 to host vault.shared.domain.com left intact
$
However, if I run the same commands but generate a root certificate, I can download the CRL as expected:
$ vault secrets enable -path=pki_test_root pki
Success! Enabled the pki secrets engine at: pki_test_root/
$ vault write pki_test_root/root/generate/internal common_name=my-website.com ttl=8760h
WARNING! The following warnings were returned from Vault:
* This mount hasn't configured any authority information access (AIA)
fields; this may make it harder for systems to find missing certificates
in the chain or to validate revocation status of certificates. Consider
updating /config/urls or the newly generated issuer with this information.
* TTL "8760h0m0s" is longer than permitted maxTTL "768h0m0s", so maxTTL is
being used
Key Value
--- -----
certificate -----BEGIN CERTIFICATE-----
<snip>
-----END CERTIFICATE-----
expiration 1683457175
issuer_id ac390822-d3b3-dfbd-fa1b-4de8071edc39
issuer_name n/a
issuing_ca -----BEGIN CERTIFICATE-----
<snip>
-----END CERTIFICATE-----
key_id 836242f3-c450-7c46-31dd-e4846fa2b2fe
key_name n/a
serial_number 5c:3c:ed:5f:67:7a:cf:f7:29:c0:86:ef:f6:f9:1b:66:f3:f4:60:84
$ curl http://vault.shared.domain.com:8200/v1/pki_test_root/crl -v
* Trying 172.29.65.200...
* TCP_NODELAY set
* Connected to vault.shared.domain.com (172.29.65.200) port 8200 (#0)
> GET /v1/pki_test_root/crl HTTP/1.1
> Host: vault.shared.domain.com:8200
> User-Agent: curl/7.58.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Cache-Control: no-store
< Content-Type: application/pkix-crl
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< Date: Wed, 05 Apr 2023 10:59:53 GMT
< Content-Length: 406
<
Warning: Binary output can mess up your terminal. Use "--output -" to tell
Warning: curl to output it to your terminal anyway, or consider "--output
Warning: <FILE>" to save to a file.
* Failed writing body (0 != 406)
* stopped the pause stream!
* Closing connection 0
$
Could somebody clarify why I’m seeing this behaviour? My expectation was that the relevant CRL should still download regardless of the CA type, so presumably I’m doing something wrong…
Many thanks!