Usage of certificate OIDs in policies when using cert auth

Hello,
using certificate authentication makes it really hard to dynamically have some policies.
For example, if I have 2 certs, one for my-host-1.example.com and one for my-host-2.example.com, but they should share the same policy, How can we achieve that? (the use of one policy for ALL the cert signed by my CA is an absolute no)

I was thinking, as we can add OID to the cert while signing them:

        X509v3 extensions:
            [....[
            1.3.6.1.4.1.34380.1.1.13: # this is pp_project
                ..jenkins
            1.3.6.1.4.1.34380.1.1.7: # this is pp_role
                ..jenkins-slave

Couldn’t we use those OID in the policy template as metadata like identity.entity.aliases.<mount accessor>.metadata.<oid_key_or_id> for example?

Then one could sign its certs with X or Y OID and then get proper access.

Should I maybe open an issue in the github repository?

Do you have multiple roles/certs to support the different certificates or is it a single role/cert that broadly matches?

I’ve not used cert auth yet so my knowledge here is quite limited.

When the Identity Entity is created is there any metadata added to the Alias by default or is it completely blank?

I think your idea makes sense and could work as long as that metadata is imported at sign in. If it’s not then you probably need to open an issue in GitHub and/or submit a feature request if you’re an Enterprise customer.

Do you have multiple roles/certs to support the different certificates or is it a single role/cert that broadly matches?

The CA (that is used to signed cert - for auth) is stored in vault cert config. Then when trying to auth with a given cert vault will use this CA to compare the auth cert. If the CA is the one that signed it, it let the request go throu, other wise it denies it.

When the Identity Entity is created is there any metadata added to the Alias by default or is it completely blank?

The metadata of the identity is null.

I will open an issue hopefully it can be done without too much efforts :smiley:

@gokuatkai plz share the github issue if you can :wink:

@rgevaert Hi, I believe this issue is linked to what I wanted to achieve: Support custom x509v3 extension key/value pairs of ASN1.OID format · Issue #10503 · hashicorp/vault · GitHub

Thanks, I will subscribe. It is indeed linked, but maybe your (and mine) request can be added separately. I think that will be less work for someone who knows go.