Cert-manager: Certificate's tls.crt does not contain root CA when issuing from an intermediary
Describe the bug:
When using CA Issuer and when providing more than one intermediate CA, incomplete CA chain is added to the generated certificates. Please see below example:
Issuer TLS.CRT
- 2ND LEVEL ISSUING INTERMEDIATE CA
- 1ST LEVEL INTERMEDIATE CA
- ROOT CA
Generated entity certificate CA.CRT
- ISSUING INTERMEDIATE CA
Generated entity certificate TLS.CRT
- APP ENTITY CERT
- 2ND LEVEL ISSUING INTERMEDIATE CA
- 1ST LEVEL INTERMEDIATE CA
so ROOT CA is missing.
Expected behaviour:
Attach full CA chain no matter how many intermediate CA is being used. So below will be possible.
Generated entity certificate TLS.CRT
- APP ENTITY CERT
- LAST LEVEL ISSUING INTERMEDIATE CA
- NN LEVEL INTERMEDIATE CA
- 2ND LEVEL INTERMEDIATE CA
- 1ST LEVEL INTERMEDIATE CA
- ROOT CA
Steps to reproduce the bug:
- Generate Root CA.
- Create 1st Intermediate CA and sign using Root CA.
- Create 2nd Intermediate CA and sing using 1st Intermediate CA.
- Create CA chain (2nd INT, 1st INT, Root CA).
- Create CA Issuer.
- Issue certificate.
Anything else we need to know?:
Environment details::
- Kubernetes version (e.g. v1.10.2): v1.11
- Cloud-provider/provisioner (e.g. GKE, kops AWS, etc): N/A
- cert-manager version (e.g. v0.4.0): v0.10.1
- Install method (e.g. helm or static manifests): Helm
/kind bug
grzechukol
All 6 comments
so ROOT CA is missing.
this is expected - the root CA should be installed onto the client machines through some other means (i.e. on user's computers, the set of 'trusted public roots' are installed by your OS provider, i.e. Apple, Microsoft, etc).
Generated entity certificate CA.CRT
ISSUING INTERMEDIATE CA
Is this meant to say 2ND LEVEL ISSUING INTERMEDIATE CA? If so, this is _also_ correct, as that is the CA that was used to actually sign the certificate.
munnerz
on 13 Nov 2019
so ROOT CA is missing.
this is expected - the root CA should be installed onto the _client_ machines through some other means (i.e. on user's computers, the set of 'trusted public roots' are installed by your OS provider, i.e. Apple, Microsoft, etc).
Assuming that's the expected behavior, is there any way to change it to also attach Root CA to the CA chain? If there is no obvious config option, can you point to the source code?
Generated entity certificate CA.CRT
ISSUING INTERMEDIATE CAIs this meant to say
2ND LEVEL ISSUING INTERMEDIATE CA? If so, this is _also_ correct, as that is the CA that was used to actually _sign_ the certificate.
Yes, I meant to say 2ND LEVEL ISSUING INTERMEDIATE CA, and that's correct.
grzechukol
on 13 Nov 2019
We a similar issue https://github.com/jetstack/cert-manager/issues/2166
Smana
on 15 Nov 2019
Forget about my previous comment, this is not exactly the same issue
Smana
on 15 Nov 2019
I would be interested too, if we can add the root CA聽in the chain.
Smana
on 19 Dec 2019
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle stale
retest-bot
on 18 Mar 2020
Related issues
caiobegotti
路
4Comments
apetheriotis
路
3Comments
kragniz
路
4Comments
f-f
路
4Comments
gaieges
路
3Comments
Most helpful comment
Assuming that's the expected behavior, is there any way to change it to also attach Root CA to the CA chain? If there is no obvious config option, can you point to the source code?
Yes, I meant to say
2ND LEVEL ISSUING INTERMEDIATE CA, and that's correct.