Vault write ignores issuer_name

I have been trying to create a intermediate CA just like explained in one of the tutorials Generate intermediate CA

But on running
vault write -format=json pki_int/intermediate/generate/internal \ common_name=" Intermediate Authority" \ issuer_name="example-dot-com-intermediate" \ | jq -r '.data.csr' > pki_intermediate.csr

The CLI throws a warning
`WARNING! The following warnings were returned from Vault:

  • This mount hasn’t configured any authority information access (AIA)
    fields; this may make it harder for systems to find missing certificates
    in the chain or to validate revocation status of certificates. Consider
    updating /config/urls or the newly generated issuer with this information.
    Since this certificate is an intermediate, it might be useful to regenerate
    this certificate after fixing this problem for the root mount.

  • Endpoint ignored these unrecognized parameters: [issuer_name]`

This is not what I expected or understood from the tutorial. As issuer name is being set, I wanted to use it as issuer_ref in creating new roles. But with this I am not sure if there is a bug.

There is no such parameter issuer_name for this endpoint.

Check it yourself with vault path-help:

$ vault path-help pki_int/intermediate/generate/internal
Request:        intermediate/generate/internal
Matching Route: ^intermediate/generate/(?P<exported>\w(([\w-.]+)?\w)?)$

Generate a new CSR and private key used for signing.


    add_basic_constraints (bool)

        Whether to add a Basic Constraints
        extension with CA: true. Only needed as a
        workaround in some compatibility scenarios
        with Active Directory Certificate Services.

    alt_names (string)

        The requested Subject Alternative Names, if any,
        in a comma-delimited list. May contain both
        DNS names and email addresses.

    common_name (string)

        The requested common name; if you want more than
        one, specify the alternative names in the alt_names
        map. If not specified when signing, the common
        name will be taken from the CSR; other names
        must still be specified in alt_names or ip_sans.

    country (slice)

        If set, Country will be set to
        this value.

    exclude_cn_from_sans (bool)

        If true, the Common Name will not be
        included in DNS or Email Subject Alternate Names.
        Defaults to false (CN is included).

    exported (string)

        Must be "internal", "exported" or "kms". If set to
        "exported", the generated private key will be
        returned. This is your *only* chance to retrieve
        the private key!

    format (string)

        Format for returned data. Can be "pem", "der",
        or "pem_bundle". If "pem_bundle", any private
        key and issuing cert will be appended to the
        certificate pem. If "der", the value will be
        base64 encoded. Defaults to "pem".

    ip_sans (slice)

        The requested IP SANs, if any, in a
        comma-delimited list

    key_bits (int)

        The number of bits to use. Allowed values are
        0 (universal default); with rsa key_type: 2048 (default), 3072, or
        4096; with ec key_type: 224, 256 (default), 384, or 521; ignored with

    key_name (string)

        Provide a name to the generated or existing key, the name
        must be unique across all keys and not be the reserved value 'default'

    key_ref (string)

        Reference to a existing key; either "default"
        for the configured default key, an identifier or the name assigned
        to the key.

    key_type (string)

        The type of key to use; defaults to RSA. "rsa"
        "ec" and "ed25519" are the only valid values.

    locality (slice)

        If set, Locality will be set to
        this value.

    managed_key_id (string)

        The name of the managed key to use when the exported
        type is kms. When kms type is the key type, this field or managed_key_name
        is required. Ignored for other types.

    managed_key_name (string)

        The name of the managed key to use when the exported
        type is kms. When kms type is the key type, this field or managed_key_id
        is required. Ignored for other types.

    not_after (string)

        Set the not after field of the certificate with specified date value.
        The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ

    not_before_duration (duration (sec))

        The duration before now which the certificate needs to be backdated by.

    organization (slice)

        If set, O (Organization) will be set to
        this value.

    other_sans (slice)

        Requested other SANs, in an array with the format
        <oid>;UTF8:<utf8 string value> for each entry.

    ou (slice)

        If set, OU (OrganizationalUnit) will be set to
        this value.

    postal_code (slice)

        If set, Postal Code will be set to
        this value.

    private_key_format (string)

        Format for the returned private key.
        Generally the default will be controlled by the "format"
        parameter as either base64-encoded DER or PEM-encoded DER.
        However, this can be set to "pkcs8" to have the returned
        private key contain base64-encoded pkcs8 or PEM-encoded
        pkcs8 instead. Defaults to "der".

    province (slice)

        If set, Province will be set to
        this value.

    serial_number (string)

        The Subject's requested serial number, if any.
        See RFC 4519 Section 2.31 'serialNumber' for a description of this field.
        If you want more than one, specify alternative names in the alt_names
        map using OID This has no impact on the final certificate's
        Serial Number field.

    signature_bits (int)

        The number of bits to use in the signature
        algorithm; accepts 256 for SHA-2-256, 384 for SHA-2-384, and 512 for
        SHA-2-512. Defaults to 0 to automatically detect based on key length
        (SHA-2-256 for RSA keys, and matching the curve size for NIST P-Curves).

    street_address (slice)

        If set, Street Address will be set to
        this value.

    ttl (duration (sec))

        The requested Time To Live for the certificate;
        sets the expiration date. If not specified
        the role default, backend default, or system
        default TTL is used, in that order. Cannot
        be larger than the mount max TTL. Note:
        this only has an effect when generating
        a CA cert or signing a CA cert, not when
        generating a CSR for an intermediate CA.

    uri_sans (slice)

        The requested URI SANs, if any, in a
        comma-delimited list.


See the API documentation for more information.

Documentation which tells you otherwise is wrong.

This endpoint is neither creating nor using an issuer anyway, so specifying a name for one doesn’t make any sense.

It is possible the documentation author intended to suggest using the key_name parameter instead.

Thanks for response and it makes sense.

Still this parameter issuer_name does get accepted when we want to create a CA which is self-signed. For reference

Generate Root CA

If you run the path help vault path-help pki/intermediate/generate/internal

we get the same help response. So I am not sure what is correct

Creating a root/self-signed CA is a very different operation to creating an intermediate CA.

The root/generate operation creates a certificate, which is stored in an issuer entry, which can be given a name.

The intermediate/generate operation does not create a certificate, so there is no issuer entry, so there is no opportunity to name it. (The certificate is created by a different CA later signing the generated CSR, and only when that resultant certificate is then returned to Vault via another API, is an issuer entry created.)

Makes sense and thanks once again for response.

But point doc or help in both the path never mention anything about difference between this. May be this needs to be improved and bug in the document which to me is highly misleading should be fixed.

I can manually set the the intermediate issuer name through the Web UI and then issuer_ref works correctly.
The frustration here is that we as end users don’t see the difference between pki / pki_int and would expect same behaviour.