Good day everyone.
I have solved my issue. In short, I was using the wrong path for signing CA certificates with vault. I found a similar issue here -> Certificates issued by vault with isCa: true are missing CA:TRUE in certificate · Issue #4654 · cert-manager/cert-manager
Where a user noticed the CA flag was missing from a certificate just like me. Someone in the post changed the vault path to the following in their clusterissuer.
vault:
path: pki_int/root/sign-intermediate
I was using
path: pki_int/signed/<role-name>
Which does not issue CA certificates!
Reminder for anyone to add the following to their vault policy so the issuer can reference that API path.
path "pki_int/root/sign-intermediate" {
capabilities = ["create", "update"]
}
Now all my CSR's are proper and there is no weird looping behavior using an alt issuer (hashicorp vault)
NAME APPROVED DENIED READY ISSUER REQUESTOR AGE
openziti-dev-controller-ctrl-plane-client-identity-wn65l True True openziti-dev-controller-ctrl-plane-intermediate-issuer system:serviceaccount:cert-manager:cert-manager 7m15s
openziti-dev-controller-ctrl-plane-identity-t5td6 True True openziti-dev-controller-ctrl-plane-intermediate-issuer system:serviceaccount:cert-manager:cert-manager 7m10s
openziti-dev-controller-ctrl-plane-intermediate-cert-gtpbc True True <redacted> system:serviceaccount:cert-manager:cert-manager 7m16s
openziti-dev-controller-edge-signer-cert-flzqt True True <redacted> system:serviceaccount:cert-manager:cert-manager 7m15s
openziti-dev-controller-web-client-identity-n6flg True True openziti-dev-controller-web-intermediate-issuer system:serviceaccount:cert-manager:cert-manager 7m16s
openziti-dev-controller-web-identity-cert-bp9qp True True openziti-dev-controller-web-intermediate-issuer system:serviceaccount:cert-manager:cert-manager 7m12s
openziti-dev-controller-web-intermediate-cert-c9fdb True True <redacted> system:serviceaccount:cert-manager:cert-manager 7m16s