Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PKI: Change sign-intermediate to truncate notAfter by default (behavior change) #26796

Merged
merged 4 commits into from
May 9, 2024
Merged

PKI: Change sign-intermediate to truncate notAfter by default (behavior change) #26796

merged 4 commits into from
May 9, 2024

Conversation

stevendpclark
Copy link
Contributor

  • The PKI sign-intermediate API allowed an end-user to request a TTL value that would extend beyond the signing issuer's notAfter. This would generate an invalid CA chain when properly validated.
  • We are now changing the default behavior to truncate the returned certificate to the signing issuer's notAfter.
  • End-users can get the old behavior by configuring the signing issuer's leaf_not_after_behavior field to permit, and call sign-intermediary with the new argument enforce_leaf_not_after_behavior to true. The new argument could also be used to enforce an error instead of truncating behavior if the signing issuer's leaf_not_after_behavior is set to err.

@stevendpclark
PKI: Change sign-intermediate to truncate notAfter by default
7c91a0f 
 - The PKI sign-intermediate API allowed an end-user to request a TTL
   value that would extend beyond the signing issuer's notAfter. This would
   generate an invalid CA chain when properly validated.
 - We are now changing the default behavior to truncate the returned certificate
   to the signing issuer's notAfter.
 - End-users can get the old behavior by configuring the signing issuer's
   leaf_not_after_behavior field to permit, and call sign-intermediary
   with the new argument enforce_leaf_not_after_behavior to true. The
   new argument could also be used to enforce an error instead of truncating
   behavior if the signing issuer's leaf_not_after_behavior is set to err.
@stevendpclark stevendpclark added this to the 1.17.0-rc milestone May 2, 2024
@stevendpclark stevendpclark self-assigned this May 2, 2024
@stevendpclark stevendpclark requested a review from a team as a code owner May 2, 2024 19:50
@github-actions github-actions bot added the hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed label May 2, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented May 2, 2024
edited
Loading

CI Results:
All Go tests succeeded! ✅

@github-actions GitHub Actions
Copy link

github-actions bot commented May 2, 2024

Build Results:
All builds succeeded! ✅

@stevendpclark stevendpclark requested a review from a team as a code owner May 2, 2024 20:44
schavis
schavis requested changes May 8, 2024
View reviewed changes
website/content/api-docs/secret/pki.mdx Outdated Show resolved Hide resolved
website/content/docs/upgrading/upgrade-to-1.17.x.mdx Outdated Show resolved Hide resolved
website/content/docs/upgrading/upgrade-to-1.17.x.mdx Outdated Show resolved Hide resolved
@stevendpclark stevendpclark requested a review from schavis May 8, 2024 14:17
victorr
victorr approved these changes May 9, 2024
View reviewed changes
Copy link
Contributor

@victorr victorr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@stevendpclark stevendpclark merged commit 0637f5e into main May 9, 2024
84 checks passed
@stevendpclark stevendpclark deleted the stevendpclark/vault-26731-pki-sign-intermediary branch May 9, 2024 15:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@victorr victorr victorr approved these changes

@schavis schavis schavis approved these changes

Assignees

@stevendpclark stevendpclark

Labels
hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed secret/pki
Projects
None yet
Milestone
1.17.0-rc
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@stevendpclark @victorr @schavis