I’m trying to get a three tier PKI up and running but find it hard to get a CA certificate signed by my Vault intermediate CA for my Microsoft CA (issuer).
So this is my test setup right now:
Vault Root CA – Vault Intermediate CA – MS CA Issuer
The Vault part is working, same setup as the example in Vault learning. But when the intermediate should sign a CSR from Issuer I do not see the “basic constraint: CA:true” stuff in the signed cert I get back from Intermediate. I’am using a role on intermediate with
basic_constraints_valid_for_non_ca: true. Here is what the signed cert says:
X509v3 Basic Constraints: critical
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
Issuer: CN=Intermediate CA
I even tried changeing it to
false just to be sure, but no difference.
The path I use, and curl POST, is as follows:
curl -s --request POST --header "X-Vault-Token: testing_stuff" --data @csr_payload http://192.168.80.10:8200/v1/pki_int/sign/role-test > JSONFIL
I can not find any text about Vault issuing a CA cert to an other CA server product like Microsoft or so.
Anyone that have an idea what it could be or if I’m doing it wrong somehow?
As all the text on Vault learning and so on is about Vault running a tier 2 PKI and then issuing server certificates I’m worried that I can’t extend the chain, even when I have path length 4 on the root CA.