Vault: ca_chain not present when generating a certificate
I am following the steps to setup a root CA and generate a certificate here: https://www.vaultproject.io/docs/secrets/pki/
Vault is 0.6.2 running in development mode and I can reproduce the problem using the Linux and Windows versions.
After issuing a certificate as per the example, my output is missing the ca_chain:
$ vault write pki/issue/example-dot-com common_name=blah.example.com
Key Value
--- -----
lease_id pki/issue/example-dot-com/76ecda18-4a17-444e-1551-0cc66987d001
lease_duration 71h59m59s
lease_renewable false
certificate -----BEGIN CERTIFICATE-----
MIIDvzCCAqegAwIBAgIUSeCrzMPF8n0VxuqR8WEaOjUM0qYwDQYJKoZIhvcNAQEL
BQAwFjEUMBIGA1UEAxMLbXl2YXVsdC5jb20wHhcNMTYxMTIyMjIyNTUzWhcNMTYx
MTI1MjIyNjIzWjAbMRkwFwYDVQQDExBibGFoLmV4YW1wbGUuY29tMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4y7CPUEjc+IevyuFOHhK3Uos8dAA8Y+v
LHlycwheudiO9SKri0FtfDne2oyRFf/4KQAWb8Ck90odnylwTtHhvn9heBK4FJkK
0kqnQx96XHiJGcSaCxIuP44Xw41LjZQ8IDJv7jCO0ugE0pnps/DBaTuzCt72zLQr
H4+CziNTppDxnG1P6oT4DTq9t9Ov/5O6nZkFPifbd4nkSwd/oxKpxFMnXMqVxUlB
rpQFOvVvik690IElOQx/IdDNKoKa176b0LRhKiccFChkZObWiUW2tRAMaGYA77q1
CuqTgxSj2Ovv7eHU54jbV2kavQwuo5w5uvCzi9MhjZ2sx9LLHULpdQIDAQABo4H/
MIH8MA4GA1UdDwEB/wQEAwIDqDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
AwIwHQYDVR0OBBYEFPOGxVS6fNgKTmDAGaXPml7UuJnSMB8GA1UdIwQYMBaAFH1n
QW3lWyM+jwnIZlPmcOJNBJlCMDsGCCsGAQUFBwEBBC8wLTArBggrBgEFBQcwAoYf
aHR0cDovLzEyNy4wLjAuMTo4MjAwL3YxL3BraS9jYTAbBgNVHREEFDASghBibGFo
LmV4YW1wbGUuY29tMDEGA1UdHwQqMCgwJqAkoCKGIGh0dHA6Ly8xMjcuMC4wLjE6
ODIwMC92MS9wa2kvY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQBfEuzcX8lslV9YQLL8
MV83Psb6PznYQmw0TAFikenO4GEJJ8F63wO/ivgiLdxSOFwUnM/1nYmbbdaKmD+J
Xd90sD0oBZEkvMkRT1bZgrDETV3yw9hqs1JsoLoRNLJOc5V4efqX9XPo6H4sfLWz
eURYAFDbP6Ld36gk3z7ZYQL9CFVLqqiiv/Hdz4fC7L8aFnkD4bBIbjUvJZEYhbvk
eJItD6o2mhx29tDd7fTiOvlDwZf3K5ctUpM+v4+r5x1QcFlYfZ2Vy4tRE9kIxudA
tSkoAmj6XENkRfjKNEiOBeJHFWZ4bGhJ1/SnT7yPPMdQxarBVfPjihBwFWNxsGf1
zAaS
-----END CERTIFICATE-----
issuing_ca -----BEGIN CERTIFICATE-----
MIIDFDCCAfygAwIBAgIUcpviHmhoc+DSh8iRfqKwh0TRa6QwDQYJKoZIhvcNAQEL
BQAwFjEUMBIGA1UEAxMLbXl2YXVsdC5jb20wHhcNMTYxMTIyMjIyNTE3WhcNMjYx
MTIwMjIyNTQ3WjAWMRQwEgYDVQQDEwtteXZhdWx0LmNvbTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAKmlTWVlJ/2cXntimdp9Ihc8f3vwrpEzYgKAEoB9
JqU+RY3PhGpZVzBr77CaVsSPu1z2vX6OwuUoKFUm8STZTAh+1SWngOKpMgIfSi3n
jId89RR2RswE3DGG2XrXku4ld2QZd8cFvrYk1+Tp97R7nQdwRir4nJjWYzWArMOi
SA4Kc+wLBU8lkBaROza1sLh9l8cIT074pPqvO1jiijbMrt3S1KfKehn3KuuRzPRB
fV6xWNDfORkmnRo+37JGRnUsARJo/CzDvwwKzFNbgxHYLEaWQTStQTuncwmlzDWw
P1qZC5FTQQpb7HUWHctP6XUiPPsKcCKmumlLJnl7wwjbg0MCAwEAAaNaMFgwDgYD
VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFH1nQW3lWyM+
jwnIZlPmcOJNBJlCMBYGA1UdEQQPMA2CC215dmF1bHQuY29tMA0GCSqGSIb3DQEB
CwUAA4IBAQCGYP5U8TR45FJCZ1wFhSZh4SCfjUcXC2LyZiEXcdvUk0/joJzn/3gg
Bx1a3LOpmnjFg2fG9qpiXZqyubxJ1/NXm7zhGRT8v6I7+5FUl15boPXi/OP/vmYu
Qj+AKuj19tQciqAIh7fWkYyy16BRSaG3uT7laJHip2zaNkpMp57yEloL4q22YPAC
ImdBzRLMkEGA6x0BcL2b+9m/ZbtLz/3sZRwnE0xnA2GN39SWo0qqeV8CqYj+Lx4O
w2Gm2IkXtc8C8Vg67kUX5P9SUPQKUfWFP3XD5b6EObWafaNmV6TnDk0VOZORMJFH
+95G6PvTM6zteHR1WhUkfvMc3zgbxAQA
-----END CERTIFICATE-----
private_key -----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEA4y7CPUEjc+IevyuFOHhK3Uos8dAA8Y+vLHlycwheudiO9SKr
i0FtfDne2oyRFf/4KQAWb8Ck90odnylwTtHhvn9heBK4FJkK0kqnQx96XHiJGcSa
CxIuP44Xw41LjZQ8IDJv7jCO0ugE0pnps/DBaTuzCt72zLQrH4+CziNTppDxnG1P
6oT4DTq9t9Ov/5O6nZkFPifbd4nkSwd/oxKpxFMnXMqVxUlBrpQFOvVvik690IEl
OQx/IdDNKoKa176b0LRhKiccFChkZObWiUW2tRAMaGYA77q1CuqTgxSj2Ovv7eHU
54jbV2kavQwuo5w5uvCzi9MhjZ2sx9LLHULpdQIDAQABAoIBAQDdLb/kHQ/kGaiv
nDJWeR8B9N5vCoBwrd/xH8giYGrA6yq7VGbI7Ako4bqq8iGq1ouHd1Ngt6CkNV9D
fveddU8fxSpi2W6odxuHAzF28yWQ87UfBj6nOqsWK0PNmjmNfF1RR2mb72CNy2Au
nbRfAK18w6eblNmZEGvPjUvfX5toVG0g/KaQA57IK6iZjsqp3Nefm9uQSONO/B/u
K8wpfQUvBsKeCo74JXeAXI50308pG82rh8+EQRPhpZE9O10kZOkBNXdVuFxZCzY7
M2t8FPMZ2kCt1Y5dLoq9pu0QepThBR5OqBQIO3YAYIZQks409fCQeO5hkOwCSrl2
a7S2sNF9AoGBAPyNi9SLJAVc/Qp+b2fYaHflCTdbrPVcfD2GtDqiKwtY7oyxojby
wcmZwqldIRvYjD8lGA3Gfvt+53tky5I8nPCjLv6eo58NMY25XO7ZWJTR5W+y0/LA
YwLuQLnJlIvYtahaFCiBi9Kc5ZrofgVst+7AFbh2fXXF1WEBafb8tIA7AoGBAOZI
kL/vUAFUc5ryAjfaS/dhr+a+ba0awTLmkyB0fPquMFB0i+4A+hmIr8XzuJYWRSde
yHpga04wzUtjwhLh29q21Fr6J+zVkUWhaMLkohZEzXI3JwQ4ONR74gfiNba0uuT0
Kdj3BjuyTnqhS244u5hEB0KipuqQFfUlga4HjdIPAoGAQkE8Aslx7LpFZABhZ6Pd
XD7I2S4CxOe7bESveYZbtoFhK6XaQYIUFrhw2g+lhPGdcV9g3RRK8d2MCtIZmcav
AW4+AOxLTomei2iqmbqJQ5mBEHmgotmX4AfzEQpyHvH+Tik7ipjZvqoMjkQZ84Bf
DJJ14EuthD0fSnCdhP8st0sCgYEAgUeLu7Tl/Vkj7YCfritnKmI1Fh0iBWRXwfOf
9UBwSWswxHopdFwoC92okEDbB6dI+2lCszEeDK9pEUHX2jHh809guBJoB5V+ENEk
twUT2dyWWeCMjtnhTaiepD5iWUftBEvukldbsHfRhxa1+hLvffPy/33Apz5slUuR
GdozzBECgYEA9+ZYM0Mw3gkIB506rWChL82g8HOxx8VnS4DcTs8Yb8msJO1hgytq
3I3jMqHpNzdzi7kdibmg1BwZjtx1+zyQTaqcCrmfYPMt8FNib+VEk8yLRykmPmtx
Y2BAdUYC7hkmDs3fowAWL0bFUnkkcUwMu8CwlYkltcKD27bXDSg2XVM=
-----END RSA PRIVATE KEY-----
private_key_type rsa
serial_number 49:e0:ab:cc:c3:c5:f2:7d:15:c6:ea:91:f1:61:1a:3a:35:0c:d2:a6
In the documentation, issuing a certificate should include a ca_chain.
F21
All 2 comments
ca_chain is only included if there is in fact a chain outside of a built-in Vault CA cert being used for the issuing/signing.
jefferai
on 22 Nov 2016
😕2
In that case, I think the documentation at https://www.vaultproject.io/docs/secrets/pki/ should be updated to include that. Also, if we follow the example to create a CA and generate a CA, ca_chain is not present, but the example from the docs includes a ca_chain.
F21
on 23 Nov 2016
👍2
Was this page helpful?
0 / 5 - 0 ratings
Related issues
SoMuchToGrok
路
66Comments
justintime
路
55Comments
jantman
路
29Comments
ekristen
路
60Comments
wpg4665
路
39Comments
Most helpful comment
In that case, I think the documentation at https://www.vaultproject.io/docs/secrets/pki/ should be updated to include that. Also, if we follow the example to create a CA and generate a CA,
ca_chainis not present, but the example from the docs includes aca_chain.