From 838bac037d2c41146ecdcf978e481ad61bcf41fe Mon Sep 17 00:00:00 2001 From: Alexander Scheel Date: Thu, 13 Oct 2022 09:45:58 -0400 Subject: [PATCH] Clarify language around PSS CSR issues (#17528) * Clarify language around PSS CSR issues Also point out that PKCS#11 tokens have the same problem. Signed-off-by: Alexander Scheel * Update website/content/docs/secrets/pki/considerations.mdx Co-authored-by: Steven Clark Signed-off-by: Alexander Scheel Co-authored-by: Steven Clark --- website/content/docs/secrets/pki/considerations.mdx | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/website/content/docs/secrets/pki/considerations.mdx b/website/content/docs/secrets/pki/considerations.mdx index ae259bb6d..8c3f7d15f 100644 --- a/website/content/docs/secrets/pki/considerations.mdx +++ b/website/content/docs/secrets/pki/considerations.mdx @@ -591,11 +591,12 @@ Additionally, some implementations allow rsaPSS OID certificates to contain restrictions on signature parameters allowed by this certificate, but Go and Vault do not support adding such restrictions. -At this time Go lacks support for CSRs with the PSS signature algorithm. If -using a GCP managed key with a RSA PSS algorithm as a backing CA key, -attempting to generate a CSR will fail signature verification. In this case -the CSR will need to be generated outside of Vault and the signed version -can be imported into the mount. +At this time Go lacks support for signing CSRs with the PSS signature +algorithm. If using a managed key that requires a RSA PSS algorithm (such as GCP or +a PKCS#11 HSM) as a backing for an intermediate CA key, attempting to generate +a CSR (via `pki/intermediate/generate/kms`) will fail signature verification. +In this case, the CSR will need to be generated outside of Vault and the +signed final certificate can be imported into the mount. Go additionally lacks support for creating OCSP responses with the PSS signature algorithm. Vault will automatically downgrade issuers with