I would like to use the Vault PKI engine to allow users to request user-based certificates for their identity and email address from Vault signed by the intermediate CA. After trying various different options and reading up on it (including the source code), it appears that this actually impossible?
It is possible to limit a CN to a user’s username with the following PKI role:
{
"allowed_domains": ["{{identity.entity.aliases.auth_userpass_a973d1a1.name}} - Client Certificate"],
"allowed_domains_template": true,
"allow_bare_domains": true,
"enforce_hostnames": false
}
This will limit the CN to be tied from the user’s identity. I’m using userpass here, but in production we would be using an OIDC based auth provider.
However, I also need the certificate to contain the user’s email address, either in the CN or in a Subject Alternative Name. If I switch the role policy to:
{
"allowed_domains": ["{{identity.entity.aliases.auth_userpass_a973d1a1.name}}@example.com"],
"allowed_domains_template": true,
"allow_bare_domains": true,
"enforce_hostnames": false
}
I get an error (which I reported here Unable to use email address with "allowed_domains_template" for PKI Roles · Issue #12694 · hashicorp/vault · GitHub): common name ropnop@example.com not allowed by this role
The only way I can tell to allow the email address is to also allow the bare domain, example.com like so:
"allowed_domains": ["{{identity.entity.aliases.auth_userpass_a973d1a1.name}}@example.com", "example.com"],
But this basically removes any checking as now any user can request any email address (since the validation only occurs on the domain), as well as the bare domain example.com
Am I missing something or can anyone think of any other easier way to do this? Im a little surprised this is so clunky to do, I figured Vault PKI would be the perfect engine to allow developers to create short lived client certs for themselves but have hit this roadblock.