Overview
The Vault 1.17.x upgrade guide contains information on deprecations, important or breaking changes, and remediation recommendations for anyone upgrading from Vault 1.16. Please read carefully.
Important changes
PKI sign-intermediate now truncates notAfter field to signing issuer
Prior to 1.17.x the sign-intermediate API would permit a calculated notAfter field to go beyond the signing issuer's notAfter. This would lead to a CA chain that would not validate properly. As of 1.17.x the default behavior has changed to truncate the intermediary's notAfter value to the signing issuer's notAfter if calculated to be greater.
How to opt out
A new flag has been introduced on the sign-intermediate API enforce_leaf_not_after_behavior
. Setting
this flag to true, the sign-intermediate API will use the signing issuer's configured
leaf_not_after_behavior
value to control the behavior. Configuring the issuer to a value of permit
will along with setting the enforce_leaf_not_after_behavior
to true will restore the legacy behavior.
Known issues and workarounds
PKI OCSP GET requests can return HTTP redirect responses
If a base64 encoded OCSP request contains consecutive '/' characters, the GET request will return a 301 permanent redirect response. If the redirection is followed, the request will not decode as it will not be a properly base64 encoded request.
As a workaround, OCSP POST requests can be used which are unaffected.
Impacted versions
Affects all current versions of 1.12.x, 1.13.x, 1.14.x, 1.15.x, 1.16.x