Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PKI Certificates generated via /ui/ no longer displays the private key for retrieval in the UI. (CLI+API /issue/ writes still work) #21552

Closed
ipaqmaster opened this issue Jul 4, 2023 · 2 comments · Fixed by #21635
Labels
bug Used to indicate a potential bug secret/pki ui

Comments

@ipaqmaster
Copy link

Describe the bug
Generating certificates via the /ui/ no longer reveals the private key - a critical component for making the issued certificate useful.

To Reproduce
Steps to reproduce the behavior:

  1. Visit your CA via /ui/ or run vault server --dev and quickly make a new throwaway PKI in memory.
  2. Select a role and hit "Issue" or go to the Issue tab and work to the same screen.
  3. Put in an example common name with a short TTL for demonstration purposes
  4. Vault writes the secret successfully and data is returned for the next page load
  5. The private key is nowhere to be seen.

Expected behavior
Show the person generating a certificate the private key so that generating via the /ui/ interface has a purpose.

Environment:

  • Vault Server Version (retrieve with vault status):
    • Vault v1.14.0 (cgo)
    • Reproducible on Windows with Vault v1.14.0 (13a649f860186dffe3f3a4459814d87191efc321), built 2023-06-19T11:40:23Z
  • Vault CLI Version (retrieve with vault version): /ui/ client via Google Chrome
  • Server Operating System/Architecture: Archlinux

Vault server configuration file(s):

NA. Reproducible with vault server --dev

Additional context
Hopefully not just missing a memo here - staff reported they can not longer get the private key for /ui/ generated certificates. Generating them with the vault CLI / direct API calls seems to still work as intended providing private keys.

@ipaqmaster ipaqmaster changed the title PKI Certificates generated via /ui/ no longer displays the private key for retrieval in the UI. (API vault write calls still output the private key just fine) PKI Certificates generated via /ui/ no longer displays the private key for retrieval in the UI. (CLI+API /issue/ writes still work) Jul 4, 2023
@cipherboy cipherboy added ui bug Used to indicate a potential bug secret/pki labels Jul 5, 2023
@cipherboy
Copy link
Contributor

@ipaqmaster Hmm, I do agree this seems to be a regression. For the time being, I think you can workaround this via the format=pem_bundle option in the UI.

@ipaqmaster
Copy link
Author

Understandable. thanks for the format=pem_bundle suggestion. By design that does manage to include the private key in there. A nice workaround for the time being.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Used to indicate a potential bug secret/pki ui
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants