Include CA:True in pki intermediate generate internal CSR

[jsanchezf]

Feature Request:
Please (optionally?) add the critical CA:True value in basicConstraints in CSRs created by pki/intermediate/generate/internal, some upper CAs expect this. For example, offline root CAs based on Microsoft software don not have certificate templates installed as per Microsoft recommendation so, when processing a CSR without that value they issue a regular certificate that cannot be used for the intermediate Vault-based CA.

Environment:

• Vault Version: v0.7.3
• Operating System/Architecture: Linux/64bit

Vault Config File:
N/A

Startup Log Output:
N/A

Expected Behavior:
CSR with the CA:TRUE basic constraint

Actual Behavior:
-----BEGIN CERTIFICATE REQUEST-----
MIICbDCCAVQCAQAwJzElMCMGA1UEAxMcU0VMQUUgQ0EgZW1pc29yYSBhdXhpbGlh
ciB2MzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOSQq8yqfe6hxYiw
yuf6fFpfWuLfJjQfQpODq0uqomjVCegLXVP1oFffS+ChvnG40PRbis2YCaa76Zhr
Y9gTCqEMbBgqt3f17EJ5t5+YsRKli8gR1b/loteR271K4IGF6r1e5Ig9uTgMCnDf
O1sUAkMQNAonxiAxeC3h1xURj5pD706KAgipcFynZgunB+szqbysdRdCaWj/i8x8
GM0WblaJ5e3MbVLPBVR8y12Qki6ltLZRp47bCFfwUq2bsnWpCvaXcQpCxCKbOBpR
+fAP7nMqTV3UCv/1LCgrxfehGekdlclH19pi8QYRxAmdt3RkNF2mIoa6ErBuqwAt
eM+/6yMCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQChyAI37kagU0zM2tmAxoVN
JXL8eo6Moqwg3s/G4/7IPhdOJKRZ0Q/XIYonlLdbzaEegs8Mf26B9l/1s/zf0tAS
b9pXnE4429vSK6LnqN+MNkcaPhpzfNMz3PS2cFQfaTRuT/YEitR66rwVNXvzAGr3
ri3ypAu3bYA/dgbeiefSb0Skbhx4foFXMJlUPuWi4Xx2+I4U3PsF2Ei1dTUAlWRi
2S907iEIS+AOZi0UT1w7B9Q2zSXF9kjYKiMY3tDArsAvd3LVi8GlBmakQuH9NTKN
R6vxBB6BwsJnh6YZ79FLSmnDr9/Tzl4RBZ7HsjqXUNM4LeMLpVP4ujWc3heCvEV5
-----END CERTIFICATE REQUEST-----

Steps to Reproduce:
version=$1
caname=issuing-v3
mp=pki/$caname
vault_addr=$VAULT_ADDR
vault mount -path=$mp pki
vault mount-tune -max-lease-ttl=35040h $mp
vault write $mp/intermediate/generate/internal
exclude_cn_from_sans="true"
common_name="SELAE CA emisora auxiliar v$version" ttl=35040h
vault write $mp/config/urls issuing_certificates=$vault_addr/v1/$mp/ca crl_distribution_points=$vault_addr/v1/$mp/crl

Important Factoids:

References:

[jefferai]

RFC 4211 (https://tools.ietf.org/html/rfc4211) doesn't define a Basic Constraints section for CSRs. I'm not the IETF but I imagine this is because it's the responsibility of the CA to decide what the constraints are, not the requester.

Accordingly, the Go CSR object doesn't have such a field either (https://golang.org/pkg/crypto/x509/#CertificateRequest).

Maybe it's possible to encode such a field using custom extensions, but it feels quite out of spec. I'm not sure what Microsoft's motivation is for telling you not to install certificate templates in offline root CAs, but if they really cannot be told at the time that a call is being made to sign a CSR that the end result should be a CA, and the only way to define this is via a template, this seems like bad advice.

[jsanchezf]

Thank you for your response.

I grant it is weird. Some info suggests the Microsoft standalone product does honor templates even if installed:

"When submitting a certificate request to a stand-alone CA, a certificate requester must explicitly supply all identifying information about themselves and the type of certificate that is wanted in the certificate request. (This does not need to be done when submitting a request to an enterprise CA, since the enterprise user's information is already in Active Directory and the certificate type is described by a certificate template). The authentication information for requests is obtained from the local computer's Security Accounts Manager database." https://social.technet.microsoft.com/Forums/sharepoint/en-US/1c7126de-e212-47c9-a0c1-217f10720d48/can-we-make-certificate-templates-available-in-a-standalone-root-ca-servers-?forum=winserverNIS

A partial dump of a CSR created by a Microsoft subordinate CA contains:

    Requested Extensions:
        ......
            .
        X509v3 Key Usage:
            Digital Signature, Certificate Sign, CRL Sign
        X509v3 Basic Constraints: critical
            CA:TRUE

Thanks in advance,

[jefferai]

(This does not need to be done when submitting a request to an enterprise CA, since the enterprise user's information is already in Active Directory and the certificate type is described by a certificate template)

I'm not even sure how one would interpret this, unless you must create users in Active Directory for your intermediate CAs.

[jsanchezf]

That only applies to Microsoft Enterprise CAs (always online and connected to an AD). Standalone (probably offline) Microsoft CAs do not use an Active Directory. I should have deleted that section from my quote.