Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Migrate existing PKI mounts that only contains a key #16813

Merged
merged 2 commits into from
Aug 22, 2022

Conversation

stevendpclark
Copy link
Contributor

  • We missed testing a use-case of the migration that someone has a PKI
    mount point that generated a CSR but never called set-signed back on
    that mount point so it only contains a key.

Fixes reported issue #16810

- We missed testing a use-case of the migration that someone has a PKI
  mount point that generated a CSR but never called set-signed back on
  that mount point so it only contains a key.
@stevendpclark stevendpclark requested a review from a team August 22, 2022 15:45
Copy link
Contributor

@cipherboy cipherboy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense, thanks Steve!

Copy link
Contributor

@kitography kitography left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks super great (and I'm really impressed by how fast you did this too).

@stevendpclark
Copy link
Contributor Author

Tested this change works within Vault if other mounts had previously been migrated with an early version of Vault 1.11.x with with the following test

  1. Start a 1.9 Vault and setup a pki root mount and a pki_int mount, generate a full root (key + cert) in the pki mount and only generate an intermediary CSR within pki_int.
  2. Update to 1.11.2, verified that the pki root mount was successfully upgraded and the migration failed within the pki_int mount. Also verified apis such as set-signed were no longer working with the error the original issue mentioned.
  3. Update to a Vault with this fix in place, checked that we only migrate the key and can now import a signed CSR into pki_int and it is associated with the appropriate migrated key.

@stevendpclark stevendpclark enabled auto-merge (squash) August 22, 2022 17:01
@stevendpclark stevendpclark merged commit 867c3bc into main Aug 22, 2022
stevendpclark added a commit that referenced this pull request Aug 22, 2022
- We missed testing a use-case of the migration that someone has a PKI
  mount point that generated a CSR but never called set-signed back on
  that mount point so it only contains a key.

* Add cl
stevendpclark added a commit that referenced this pull request Aug 22, 2022
- We missed testing a use-case of the migration that someone has a PKI
  mount point that generated a CSR but never called set-signed back on
  that mount point so it only contains a key.

* Add cl

Co-authored-by: Steven Clark <[email protected]>
@stevendpclark stevendpclark deleted the stevendpclark/fix-pki-migration-key-only branch August 22, 2022 18:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants