Vault x509v3 name constraints

Following along with a tutorial on setting up vault using terraform (Build Certificate Authority (CA) in Vault with an offline Root | Vault | HashiCorp Developer) which has been very useful, but I am confused about the permitted dns names portion of the ICA2, hence the anchor in the link above. From what I can tell, the ICA2 is defined using the following piece of terraform code:

resource "vault_mount" "test_org_v1_ica2_v1" {
 path                      = "test-org/v1/ica2/v1"
 type                      = "pki"
 description               = "PKI engine hosting intermediate CA2 v1 for test org"
 default_lease_ttl_seconds = local.default_1hr_in_sec
 max_lease_ttl_seconds     = local.default_1y_in_sec

resource "vault_pki_secret_backend_intermediate_cert_request" "test_org_v1_ica2_v1" {
 depends_on   = [vault_mount.test_org_v1_ica2_v1]
 backend      = vault_mount.test_org_v1_ica2_v1.path
 type         = "internal"
 common_name  = "Intermediate CA2 v1 "
 key_type     = "rsa"
 key_bits     = "2048"
 ou           = "test org"
 organization = "test"
 country      = "US"
 locality     = "Bethesda"
 province     = "MD"

resource "vault_pki_secret_backend_root_sign_intermediate" "test_org_v1_sign_ica2_v1_by_ica1_v1" {
 depends_on = [
 backend              = vault_mount.test_org_v1_ica1_v1.path
 csr                  = vault_pki_secret_backend_intermediate_cert_request.test_org_v1_ica2_v1.csr
 common_name          = "Intermediate CA2 v1.1"
 exclude_cn_from_sans = true
 ou                   = "test org"
 organization         = "test"
 country              = "US"
 locality             = "Bethesda"
 province             = "MD"
 max_path_length      = 1
 ttl                  = local.default_1y_in_sec

resource "vault_pki_secret_backend_intermediate_set_signed" "test_org_v1_ica2_v1_signed_cert" {
 depends_on  = [vault_pki_secret_backend_root_sign_intermediate.test_org_v1_sign_ica2_v1_by_ica1_v1]
 backend     = vault_mount.test_org_v1_ica2_v1.path
 certificate = format("%s\n%s", vault_pki_secret_backend_root_sign_intermediate.test_org_v1_sign_ica2_v1_by_ica1_v1.certificate, file("\${path.module}/cacerts/test_org_v1_ica1_v1.crt"))

after which we seem to have a well-functioning endpoint in vault which we can query and verify, which works well for me, and I get the expected output until we get to the following:

curl -s $VAULT_ADDR/v1/test-org/v1/ica2/v1/ca/pem | openssl x509 -in /dev/stdin -noout -text | grep "X509v3 extensions" -A 13

which, according to the output supplied with the tutorial should provide the following output:

           X509v3 Key Usage: critical
               Certificate Sign, CRL Sign
           X509v3 Basic Constraints: critical
               CA:TRUE, pathlen:1
           X509v3 Subject Key Identifier:
           X509v3 Authority Key Identifier:

           X509v3 Name Constraints: critical

The name constraints on the, however, seems to me to be highly desirable, but alas, does not show up when I run the command. It’s not apparent to me how it would show up in the cert, as there seems to be nothing in the signing or elsewhere that sets that value, and when I search on the page, this is the first occurrence of on that page. Later on, we specify that domain in the role and for the subordinate certs, but how do I get that restriction into the signed intermediate?

I can’t see any code anywhere the Vault PKI implementation which would ever add Name Constraints to a certificate. My guess is that the tutorial author may have accidentally included openssl output from a non-Vault certificate, showing a feature Vault does not have.

Thank you for the reply. I guess I don’t know whether it actually is valuable to have it there or not, but it seemed like a good restriction. I guess vault doesn’t think it valuable enough to put in there though, at least right now.

Vault support that but is named differently, permitted_dns_domains - PKI - Secrets Engines - HTTP API | Vault | HashiCorp Developer

1 Like

Ah, I see. I missed that somehow - the non standard naming certainly didn’t help.