Unable to add a CRL Distribution Point to CSR

Table of Contents

• What is a CRL Distribution Point?
• Steps
• Config example
• Solution
• Resources

What is a CRL Distribution Point?

A Certificate Revocation List (aka CRL) is a distribution point that's itemising which certificates are revoked and/or expired. A client application can download the CRL to determine if the certificate that it's about to use may be among those already revoked.

Steps:

1. Create Root CA Vault cluster. Create PKI secret engine that does not have a CRL distribution point configured;
2. Create Intermediate CA Vault cluster. Create PKI secret engine that has a CRL distribution point defined in the configuration;
3. In the intermediate's PKI engine:
   • Navigate to issuers tab
   • Select generate
   • Select intermediate CSR
   • Fill out fields as appropriate
4. Take the resulting CSR to the Root CA and sign it;
5. View certificate attributes. CRL distribution point is not included:
   

   Certificate:
       Data:
       ...
           X509v3 extensions:
               X509v3 Key Usage: critical
                   Certificate Sign, CRL Sign
               X509v3 Basic Constraints: critical
                   CA:TRUE
               X509v3 Subject Key Identifier: 
                   ...
               X509v3 Authority Key Identifier: 
                   keyid:...
   
               X509v3 Subject Alternative Name: 
                   DNS:...

6. Expected certificate with distribution point:
   

   Certificate:
       Data:
       ...
           X509v3 extensions:
               X509v3 Key Usage: critical
                   Certificate Sign, CRL Sign
               X509v3 Basic Constraints: critical
                   CA:TRUE
               X509v3 Subject Key Identifier: 
                   ...
               X509v3 Authority Key Identifier: 
                   keyid:...
   
               X509v3 Subject Alternative Name: 
                   DNS:...
               X509v3 CRL Distribution Points: 
   
                   Full Name:
                     URI:https://my_crl_distribution_point

Config example:

• CRL:
  

  {
      "auto_rebuild": true,
      "auto_rebuild_grace_period": "24h",
      "cross_cluster_revocation": false,
      "delta_rebuild_interval": "15m",
      "disable": false,
      "enable_delta": false,
      "expiry": "168h",
      "ocsp_disable": true,
      "ocsp_expiry": "12h",
      "unified_crl": false,
      "unified_crl_on_existing_paths": false
  }

• PKI URL:
  

  {
      "crl_distribution_points": [
        "https://my_crl_distribution_point"
      ],
      "enable_templating": false,
      "issuing_certificates": [],
      "ocsp_servers": []
  }

Solution:

NOTE: CRL distribution points can be configured on mount config or on issuer, but not on CSR.

When using multiple issuers within the same mount, it is strongly suggested to use the per-issuer AIA information instead of the global AIA information. If any of the per-issuer AIA fields are set, the entire issuer's preferences will be used instead. Otherwise, these fields are used as a fallback.

• Configure the issuer on both Intermediate and Root CA with the same value of crl_distribution_points;
• Generate a new CSR from the intermediate CA cluster;
• Sign the CSR using the Root CA;
• Verify certificate attributes and validate whether this time it shows up;

Resources:

• Vault PKI API Docs;
• CRL DIstribution Points;
• RFC5280;