cf7105929f
* Allow old certs to be cross-signed In Vault 1.11, we introduced cross-signing support, but the earlier SKID field change in Vault 1.10 causes problems: notably, certs created on older versions of Vault (<=1.9) or outside of Vault (with a different SKID method) cannot be cross-signed and validated in OpenSSL. In particular, OpenSSL appears to be unique in requiring a SKID/AKID match for chain building. If AKID and SKID are present on an otherwise valid client/parent cert pair and the values are different, OpenSSL will not build a valid path over those two, whereas most other chain validation implementations will. Regardless, to have proper cross-signing support, we really aught to support copying an SKID. This adds such support to the sign-intermediate endpoint. Support for the /issue endpoint is not added, as cross-signing leaf certs isn't generally useful and can accept random SKIDs. Resolves: #16461 Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add changelog Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Address review feedback, fix tests Also adds a known-answer test using LE R3 CA's SKID. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Address review feedback regarding separators Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
4 lines
119 B
Plaintext
4 lines
119 B
Plaintext
```release-note:improvement
|
|
secret/pki: Allow specifying SKID for cross-signed issuance from older Vault versions.
|
|
```
|