Following along with a tutorial on setting up vault using terraform (Build Certificate Authority (CA) in Vault with an offline Root | Vault | HashiCorp Developer) which has been very useful, but I am confused about the permitted dns names portion of the ICA2, hence the anchor in the link above. From what I can tell, the ICA2 is defined using the following piece of terraform code:
resource "vault_mount" "test_org_v1_ica2_v1" {
path = "test-org/v1/ica2/v1"
type = "pki"
description = "PKI engine hosting intermediate CA2 v1 for test org"
default_lease_ttl_seconds = local.default_1hr_in_sec
max_lease_ttl_seconds = local.default_1y_in_sec
}
resource "vault_pki_secret_backend_intermediate_cert_request" "test_org_v1_ica2_v1" {
depends_on = [vault_mount.test_org_v1_ica2_v1]
backend = vault_mount.test_org_v1_ica2_v1.path
type = "internal"
common_name = "Intermediate CA2 v1 "
key_type = "rsa"
key_bits = "2048"
ou = "test org"
organization = "test"
country = "US"
locality = "Bethesda"
province = "MD"
}
resource "vault_pki_secret_backend_root_sign_intermediate" "test_org_v1_sign_ica2_v1_by_ica1_v1" {
depends_on = [
vault_mount.test_org_v1_ica1_v1,
vault_pki_secret_backend_intermediate_cert_request.test_org_v1_ica2_v1,
]
backend = vault_mount.test_org_v1_ica1_v1.path
csr = vault_pki_secret_backend_intermediate_cert_request.test_org_v1_ica2_v1.csr
common_name = "Intermediate CA2 v1.1"
exclude_cn_from_sans = true
ou = "test org"
organization = "test"
country = "US"
locality = "Bethesda"
province = "MD"
max_path_length = 1
ttl = local.default_1y_in_sec
}
resource "vault_pki_secret_backend_intermediate_set_signed" "test_org_v1_ica2_v1_signed_cert" {
depends_on = [vault_pki_secret_backend_root_sign_intermediate.test_org_v1_sign_ica2_v1_by_ica1_v1]
backend = vault_mount.test_org_v1_ica2_v1.path
certificate = format("%s\n%s", vault_pki_secret_backend_root_sign_intermediate.test_org_v1_sign_ica2_v1_by_ica1_v1.certificate, file("\${path.module}/cacerts/test_org_v1_ica1_v1.crt"))
}
EOF
after which we seem to have a well-functioning endpoint in vault which we can query and verify, which works well for me, and I get the expected output until we get to the following:
curl -s $VAULT_ADDR/v1/test-org/v1/ica2/v1/ca/pem | openssl x509 -in /dev/stdin -noout -text | grep "X509v3 extensions" -A 13
which, according to the output supplied with the tutorial should provide the following output:
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:1
X509v3 Subject Key Identifier:
AE:88:D1:D6:3D:3D:AD:BD:AF:6F:D0:9D:CB:5A:E6:A6:B3:71:94:CB
X509v3 Authority Key Identifier:
keyid:11:12:F5:E4:85:6C:E4:ED:75:37:FB:C3:CD:14:D6:B8:81:14:F6:44
X509v3 Name Constraints: critical
Permitted:
DNS:test.com
The name constraints on the DNS:test.com, however, seems to me to be highly desirable, but alas, does not show up when I run the command. It’s not apparent to me how it would show up in the cert, as there seems to be nothing in the signing or elsewhere that sets that value, and when I search on the page, this is the first occurrence of test.com on that page. Later on, we specify that domain in the role and for the subordinate certs, but how do I get that restriction into the signed intermediate?