Vault pki role allow_subdomains=false

franc01s · November 9, 2020, 8:25pm

Hello,

What is the usage of allow_subdomains=false
in role vault write pki/roles/cud allowed_domains=cud.local allow_subdomains=false

as I cannot generate certificate for a host in this domain

vault write pki/issue/cud common_name=test.foo.com
Error writing data to pki/issue/cud: Error making API request.

URL: PUT http://localhost:8200/v1/pki/issue/cud
Code: 400. Errors:

* common name test.foo.com not allowed by this role

That works with allow_subdomains=true but I would like prevent creation of test.bar.foo.com

Any help appreciated,
Thanks

Blackclaws · December 2, 2020, 1:24pm

You need to allow_bare_domains in that case.

vault write pki_int/roles/cud \
    allowed_domains=test.foo.com \
    allow_subdomains=false \
    allow_bare_domains=true max_ttl=72h

franc01s · December 15, 2020, 1:48pm

Thanks! I finally used allow_bare_domains and one role for each issue I need.

Topic		Replies	Views
PKI - Issue with role and glob patterns Vault	1	851	September 27, 2023
Basic vault PKI use case not working Vault vault	5	810	February 18, 2023
HCSEC-2022-09 - Vault PKI Secrets Engine Policy Results In Incorrect Wildcard Certificate Issuance Security security-vault	0	7868	March 4, 2022
PKI - How to set SANS Vault	2	701	February 8, 2023
PKI templating using identity Vault	1	171	February 4, 2024

Vault pki role allow_subdomains=false

Related topics