Vault: Unable to create client certificate with "Firstname Lastname" as CN

Created on 19 Feb 2017  路  3Comments  路  Source: hashicorp/vault

Context

I am trying to get vault issue a client certificate with "Firstname Lastname" in the CN field.
Like the one below, manually created with openssl :

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 10734504358509255334 (0x94f89ed718d39aa6)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=FR, L=Paris, O=Home, OU=Office, CN=Dad Root
        Validity
            Not Before: Feb 19 20:52:54 2017 GMT
            Not After : Feb 19 20:52:54 2018 GMT
        Subject: C=FR, L=Paris, O=Home, OU=Office, CN=Matthieu Fronton
...
        X509v3 extensions:
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication
...

What I do

Start a vault server

vault server -dev

Mount the pki backend and setup the CA

vault mount pki
vault write pki/config/ca [email protected]

Try to issue a client certificate with CN=Firstname Lastname format

vault write pki/roles/client server_flag="false" allow_any_name="true" max_ttl="72h"
vault write pki/issue/client common_name="Matthieu Fronton"

What I get

Error writing data to pki/issue/client: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/pki/issue/client
Code: 400. Errors:

* name Matthieu Fronton not allowed by this role

What I expected

I expected the certificate to be issued even if the CN is not a URL/IP/Email
Especially with client_flag="true" + allow_any_name="true"

versions: Vault v0.6.5 ('5d8d702f33b5fd965cbe8d6d0728295de813a196')
platform: linux 64bits (Ubuntu 16.04.2 LTS)

picture frntn

Most helpful comment

You need to set enforce_hostnames to false as well as allow_any_name to true, then you can use the CN you like!

picture jefferai on 19 Feb 2017
👍4

All 3 comments

You also might find this interesting :
while testing I had a strange A%!B(MISSING) response while requesting A B _(code injection entrypoint vector ?)_

vault write pki/issue/client common_name="A%20B"
Error writing data to pki/issue/client: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/pki/issue/client
Code: 400. Errors:

* name A%!B(MISSING) not allowed by this role
frntn picture frntn on 19 Feb 2017

You need to set enforce_hostnames to false as well as allow_any_name to true, then you can use the CN you like!

jefferai picture jefferai on 19 Feb 2017
👍4

Works like a charm.
Thanks.

frntn picture frntn on 19 Feb 2017
Was this page helpful?
0 / 5 - 0 ratings

Related issues

anthonyGuo picture anthonyGuo  路  3Comments
lexsys27 picture lexsys27  路  3Comments
mfischer-zd picture mfischer-zd  路  3Comments
narayan8291 picture narayan8291  路  3Comments
weisinc picture weisinc  路  3Comments