You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
Vault v1.9.4 Import CA Certificates and Keys implicitly replace the default issuer,
So when import CA using /pki/config/ca and then issue new certs using pki/issue/:name it signs the generated certs from the latest imported CA,
Within v1.11.3 this behavior has been broken the /pki/config/ca does not replace the default issuer and instead it signs the generated certs from an orphan issuer.
for workaround running /pki/root/replace with the issuer ID given from /pki/config/ca response mapping will sign the generated certs from the latest imported CA
Ultimately, this was to ensure a consistent behavior: previously, generate root and intermediate import would err (on Vault 1.9) if it already had previous issuers, whereas /config/ca would, I believe, silently replace them (!!). In both cases, you were importing/creating a new issuer so it made sense to unify their behavior.
If you can suggest other places to put this information or perhaps more concisely, happy to update the docs.
Describe the bug
Vault v1.9.4 Import CA Certificates and Keys implicitly replace the default issuer,
So when import CA using /pki/config/ca and then issue new certs using pki/issue/:name it signs the generated certs from the latest imported CA,
Within v1.11.3 this behavior has been broken the /pki/config/ca does not replace the default issuer and instead it signs the generated certs from an orphan issuer.
for workaround running /pki/root/replace with the issuer ID given from /pki/config/ca response mapping will sign the generated certs from the latest imported CA
To Reproduce
Expected behavior
Same as v1.9.4 import CA replace issuer implicitly.
Vault server configuration file(s):
The text was updated successfully, but these errors were encountered: