Vault PKI engine: Signed certificate does not have extensions


I generated a CSR using ECDSA 256 and passed it to the PKI engine rest API to sign the certificate.

The generated certificate contains all the fields like Common Name, Organization, Organization Unit, Country, etc.

But I also added extra extensions while generating the CSR, those are missing from the generated certificate.

Is there any specific way to add this extension to the certificate?


Which extensions?

Vault does not have support for copying CSR extensions to end-entity certificates.

There is limited support in a couple of endpoints (sign-intermediate and sign-verbatim) but they are highly privileged endpoints which bypass much of the policy Vault would otherwise enforce, so are typically not useful for general use cases.

I added a custom extension with Type asn1.ObjectIdentifier{1, 2, 3, 4, 5, 6, 7, 8, 1} and custom structure as ExtraExtension with critical flag true.

These were present in the CSR but not in the certificate.


Right, so a totally custom extension - there is no way to add that to Vault-generated end-entity certificates. (Short of sign-verbatim, at which point you’ve bypassed nearly all of the value of using Vault PKI anyway.)

You’ll need to consider either forking the Go code of the PKI secrets engine, modifying it, and loading it as a custom plugin, or using software other than Vault for this.