Support for SVIDs in the Pki Module #3830
Comments
|
Vault does not currently support custom URIs in SANs, sorry. |
|
I know that. What do you think would be the best way to implement it ? Would you guys accept a PR? |
|
Sure, a PR would be good. We'd want to do a design review ahead of time since we'll want some controls around what URIs can be used. (I want to note, SVID SAN support is not sufficient for full SPIFFE functionality, since it also has custom extended key usages and some other things.) If you are looking at code, I'd strongly suggest starting from #3889 since it does a lot of refactoring to support custom SANs. |
|
@zglozman opening this again for now for tracking while in discussion |
|
Issues that are not reproducible and/or not had any interaction for a long time are stale issues. Sometimes even the valid issues remain stale lacking traction either by the maintainers or the community. In order to provide faster responses and better engagement with the community, we strive to keep the issue tracker clean and the issue count low. In this regard, our current policy is to close stale issues after 30 days. Closed issues will still be indexed and available for future viewers. If users feel that the issue is still relevant but is wrongly closed, we encourage reopening them. Please refer to our contributing guidelines for details on issue lifecycle. |
When trying to receive a certificate using /pki/role/X/issue and specifying a spiffy SVID in one of the SAN names, the vault response that the spiffe:// is not in allowed syntax.
What would be an appropriate way to issue an X509 containing and spiffe svid?
Environment:
Vault Config File:
Startup Log Output:
Expected Behavior:
Actual Behavior:
Steps to Reproduce:
Important Factoids:
References:
The text was updated successfully, but these errors were encountered: