-
Notifications
You must be signed in to change notification settings - Fork 4.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add remove_roots_from_chain to more endpoints #26571
Comments
Hi @stormshield-gt, None of the endpoints you mention actually return a ca chain, just the individual certificate from storage along with revocation information. I suppose you could be referring to the, |
Thank you for your quick answer! As stipulated in the note inside the API doc :
What I observe using the API is that is indeed the whole CA chain (including root) is included inside the |
Is your feature request related to a problem? Please describe.
Before Vault 1.11.0 , the root CA were not included in the chain, and I believe rightfully so.
Then the root CAs were added from a user’s request (#13489), and then removed again with a special option in #16935 . This was motivated by the concern raised in this comment #16057 (comment) , which were
Sadly, the root CAs are still included by default in some endpoint without the possibility to remove them. To me it means that I must manually parse the CA chain, meaning adding a crypto dependency on the client side to do so, just to remove the Root CA(s). It's kind of frustrating because Vault has already the information of which CA is Root in the chain.
I know I could just send them over the wire and the Root CA will just be ignored, but that a waste of resources. Besides, with postquantum the certificates will be become much bigger, and we will want to squeeze every octet in order to fit the MTU.
Describe the solution you'd like
Please restore the old behavior, not sending the root CA(s), by adding the
remove_roots_from_chain
option to more endpoints.The one that I see:
They are probably others
Describe alternatives you've considered
Manually parse the certificates at the level of the vault client.
The text was updated successfully, but these errors were encountered: