Vault PKI engine and LDAP client certs

Hi everyone,

We are moving our OpenLDAP CA into Vault. Vault works great we have many experience with PKI engine.

I run into interesting usecase. OpenLDAP map policies acording to CN in TLS client certificate.
It understand multiple CNs in one certificate. Is there any possible way how to tell Vault I’d like to issue or generate certificate like

Subject: CN = auth, CN = external, CN = administrative, CN = replicator

Thanks for any suggestions.

The Vault PKI engine isn’t capable of that. It defines CN as single-valued in its HTTP API, and tells people to use SANs for multiple values: PKI - Secrets Engines - HTTP API | Vault by HashiCorp

You can create a CSR with multiple CNs, but Vault PKI only has one string for the CN field. I doubt it’ll get you what you need. My guess is that OpenLDAP is going to reject the cert since it doesn’t have multiple separate CNs. I’d try it and maybe open a enhancement request on github to turn the common_names into an array of strings?

@aram Yes I tried this. Created CSR but Vault signed and returned CRT only with one of the CNs. In some cases It can work but there are many usecases where I need to apply multiple roles to client so multiple CNs are needed.

Thx for your answer.

@maxb thx In fact I didn’t tried use SANs for multiple values, I’m not sure if OpenLDAP will accept it but I will give it a try, thx