Introduction
This article documents a solution to issue PKI certificates without the following X509v3 Extended Key Usage values:
- TLS Web Server Authentication
- TLS Web Client Authentication
Problem
Certain workflows require certificates to contain only specific Extended Key Usage values. One example of this is certificates used for code signing. Issues certificates in Vault using the PKI Secrets engine results in having the TLS Web Server Authentication and TLS Web Client Authentication values in addition to the Extended Key Usage values specified in the role configuration.
Example Extended Key Usage values when a certificate is read by openssl:
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
Prerequisites (if applicable)
- Vault CE and Enterprise 1.16.x and later
Cause
The PKI Secrets engine issues certificates based on the select role configuration. It makes use of the following flags specified on the role to set the Extended Key Usage values in addition to the values set in the ext_key_usage parameter:
The server and client flags are enabled by default on a given role:
vault read pki/roles/example-dot-com | grep flag
client_flag true
code_signing_flag false
email_protection_flag false
server_flag true
Having these set causes the PKI secrets engine to add the TLS Web Server Authentication and TLS Web Client Authentication values by default.
Overview of possible solutions
Solution:
Patch the PKI Secrets engine role and disable the server_flag and client_flag parameters:
vault patch pki/roles/example-dot-com server_flag=false client_flag=false
Outcome
Certificates issued without the flags disabled should no longer contain the TLS Web Server Authentication and TLS Web Client Authentication Extended Key Usage values.
Additional Information
- Vault PKI secrets engine (API): Create/Update Role
- External: RFC 5280 Section 4.2.1.12