UI - pki updates (#4291)

* add require_cn to pki roles
* add policy_identifiers and basic_constraints_valid_for_non_ca to pki role form
* add new fields to the PKI docs
* add add_basic_constraints field

builtin/logical/pki/path_roles.go

@@ -628,6 +628,7 @@ func (r *roleEntry) ToResponseData() map[string]interface{} {
 		"postal_code":                        r.PostalCode,
 		"no_store":                           r.NoStore,
 		"allowed_other_sans":                 r.AllowedOtherSANs,
+		"require_cn":                         r.RequireCN,
 		"policy_identifiers":                 r.PolicyIdentifiers,
 		"basic_constraints_valid_for_non_ca": r.BasicConstraintsValidForNonCA,
 	}

ui/app/models/pki-ca-certificate.js

@@ -35,6 +35,11 @@ export default Certificate.extend({
     label: 'PEM bundle',
     editType: 'file',
   }),
+  addBasicConstraints: attr('boolean', {
+    label: 'Add a Basic Constraints extension with CA: true',
+    helpText:
+      'Only needed as a workaround in some compatibility scenarios with Active Directory Certificate Services',
+  }),
 
   fieldDefinition: computed('caType', 'uploadPemBundle', function() {
     const type = this.get('caType');
@@ -73,6 +78,7 @@ export default Certificate.extend({
             'keyType',
             'keyBits',
             'excludeCnFromSans',
+            'addBasicConstraints',
             'ou',
             'organization',
             'otherSans',

ui/app/models/role-pki.js

@@ -55,6 +55,10 @@ export default DS.Model.extend({
     defaultValue: 'DigitalSignature,KeyAgreement,KeyEncipherment',
     editType: 'stringArray',
   }),
+  requireCn: attr('boolean', {
+    label: 'Require common name',
+    defaultValue: true,
+  }),
   useCsrCommonName: attr('boolean', {
     label: 'Use CSR common name',
     defaultValue: true,
@@ -89,6 +93,12 @@ export default DS.Model.extend({
   }),
   generateLease: attr('boolean', {}),
   noStore: attr('boolean', {}),
+  policyIdentifiers: attr({
+    editType: 'stringArray',
+  }),
+  basicConstraintsValidForNonCA: attr('boolean', {
+    label: 'Mark Basic Constraints valid when issuing non-CA certificates.',
+  }),
 
   updatePath: queryRecord(
     'capabilities',
@@ -192,6 +202,7 @@ export default DS.Model.extend({
           'allowAnyName',
           'enforceHostnames',
           'allowIpSans',
+          'requireCn',
           'useCsrCommonName',
           'useCsrSans',
           'ou',
@@ -213,7 +224,9 @@ export default DS.Model.extend({
         ],
       },
       { 'Extended Key Usage': ['serverFlag', 'clientFlag', 'codeSigningFlag', 'emailProtectionFlag'] },
-      { Advanced: ['generateLease', 'noStore'] },
+      {
+        Advanced: ['generateLease', 'noStore', 'basicConstraintsValidForNonCA', 'policyIdentifiers'],
+      },
     ];
 
     return this.fieldsToAttrs(Ember.copy(groups, true));

ui/app/templates/partials/role-pki/show.hbs

@@ -3,7 +3,7 @@
     {{#each-in fieldGroup as |group fields|}}
       {{#if (or (eq group "default") (eq group "Options"))}}
         {{#each fields as |attr|}}
-          {{info-table-row label=(capitalize (or attr.options.label (humanize (dasherize attr.name)))) value=(get model attr.name)}}
+          {{info-table-row alwaysRender=true label=(capitalize (or attr.options.label (humanize (dasherize attr.name)))) value=(get model attr.name)}}
         {{/each}}
       {{else}}
         <div class="box is-sideless is-fullwidth is-marginless">

website/source/api/secret/pki/index.html.md

@@ -851,6 +851,13 @@ request is denied.
 - `require_cn` `(bool: true)` - If set to false, makes the `common_name` field
   optional while generating a certificate.
 
+- `policy_identifiers` `(list: [])` – A comma-separated string or list of policy
+  oids.
+
+- `basic_constraints_valid_for_non_ca` `(bool: false)` - Mark Basic Constraints
+  valid when issuing non-CA certificates.
+
+
 ### Sample Payload
 
 ```json