Azure-sdk-for-js: Cannot set Certificate Transparency for a manual enrollment

Created on 22 Jul 2020  路  7Comments  路  Source: Azure/azure-sdk-for-js
  • Package Name: @azure/keyvault-certificates
  • Package Version: 4.0.2
  • Operating system: MacOs 10.15.3
  • [x] nodejs

    • version: 12.18.2

Describe the bug
I can not create a cert with Certificate Transparency turned on

To Reproduce
Steps to reproduce the behavior:

  import { client } from "@azure/keyvault-certificates";

  await client.beginCreateCertificate("EXAMPLE-CERT-NAME", {
      subject: `cn=Something Inc.`,
      issuerName: "Unknown",
      exportable: false,
      keyType: "RSA-HSM",
      enhancedKeyUsage: ["1.3.6.1.5.5.7.3.1", "1.3.6.1.5.5.7.3.2"],
      keyUsage: ["digitalSignature", "keyEncipherment", "keyCertSign"],
      certificateTransparency: true,
      keySize: 2048,
   });

Error:

"error": {
  "code": "BadParameter",
  "message": "Cannot set Certificate Transparency for a manual enrollment."
}

Expected behavior

Certificate request is created

Client KeyVault Service Attention customer-reported needs-team-attention question
Source
picture davej

Most helpful comment

Adding the Service Attention label to see if the service team can improve the docs around this.

picture ramya-rao-a on 25 Jul 2020
2

All 7 comments

@sadasant could you take a look?

AlexGhiondea picture AlexGhiondea on 24 Jul 2020
👍1

@davej

The certifciateTransparency flag on the policy causes Key Vault to notify the issuer to publish the certificate to the certificate transparency list when new certs are signed. This only applies for supported issuers which Key Vault integrates with to issue new certificates.

In this case you have specified the issuer "Unknown" which indicates that Key Vault will merely create the certificate and the corresponding CSR, and it's the callers responsibility to sign the certificate with whatever issuer they choose. In this case it would be up to the caller to indicate to the issuer to publish the certificate to the certificate transparency list.

Is that helpful? I can do my best to find more information if necessary.

sadasant picture sadasant on 25 Jul 2020
👍1

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @RandalliLama, @schaabs, @jlichwa.

msftbot[bot] picture msftbot[bot] on 25 Jul 2020

Adding the Service Attention label to see if the service team can improve the docs around this.

ramya-rao-a picture ramya-rao-a on 25 Jul 2020
2

@sadasant That's super helpful, thank you.

For context, I guess my confusion came from two angles.

  1. The error message not clear to me. Perhaps this is due to my ignorance about certs though.
  2. This seems to be possible through the Azure Portal UI. I was porting a manual operation that was done on Azure Portal to an API request that we can do automatically, so I was trying to maintain a 1:1 mapping of the fields we used on the UI.
davej picture davej on 25 Jul 2020
1

@davej I have submitted the feedback to our team.

I wonder, have we resolved your concerns? Please let me know if there's anything else we could do.

sadasant picture sadasant on 27 Jul 2020

@sadasant Yes. Definitely one of the best experiences that I've had posting an issue to a commercial Github repo. Feel free to close this issue.

davej picture davej on 27 Jul 2020
1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

IDONTSUDO picture IDONTSUDO  路  4Comments
SlothFriend picture SlothFriend  路  3Comments
dgellow picture dgellow  路  4Comments
gmantri picture gmantri  路  3Comments
tomi picture tomi  路  4Comments