248990a1ec
* Add test for revocation under intermediate CA Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Allow revocation of certs with key-less issuers In Vault 1.11's multiple issuer functionality, we incorrectly fetched the full CA signing bundle for validating revocation of leaf certs (when attempting to prohibit revocation of issuers in the mount). When the issuer lacked a key (such as the root issuer on an intermediate mount), this signing bundle creation failed. Instead of fetching the full CA signing bundle, fetch instead the raw certutil.CertBundle and parse it (to x509.Certificate form) ourselves. This manifests as the error on revocation: > URL: PUT http://127.0.0.1:8200/v1/pki_int/revoke > * could not fetch the CA certificate for issuer id 156e1b99-4f04-5b5e-0036-cc0422c0c0d3: unable to fetch corresponding key for issuer 156e1b99-4f04-5b5e-0036-cc0422c0c0d3; unable to use this issuer for signing Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> |
||
|---|---|---|
| .. | ||
| aws | ||
| cassandra | ||
| consul | ||
| database | ||
| mongodb | ||
| mssql | ||
| mysql | ||
| nomad | ||
| pki | ||
| postgresql | ||
| rabbitmq | ||
| ssh | ||
| totp | ||
| transit | ||