OpenZiti Helm Chart - Using Enterprise PKI Instead of Self-Signed CA

Good day everyone.

I have solved my issue. In short, I was using the wrong path for signing CA certificates with vault. I found a similar issue here -> Certificates issued by vault with isCa: true are missing CA:TRUE in certificate · Issue #4654 · cert-manager/cert-manager

Where a user noticed the CA flag was missing from a certificate just like me. Someone in the post changed the vault path to the following in their clusterissuer.

vault:
  path: pki_int/root/sign-intermediate

I was using

path: pki_int/signed/<role-name>

Which does not issue CA certificates!

Reminder for anyone to add the following to their vault policy so the issuer can reference that API path.

path "pki_int/root/sign-intermediate" { 
  capabilities = ["create", "update"] 
}

Now all my CSR's are proper and there is no weird looping behavior using an alt issuer (hashicorp vault)

NAME                                                         APPROVED   DENIED   READY   ISSUER                                                   REQUESTOR                                         AGE
openziti-dev-controller-ctrl-plane-client-identity-wn65l     True                True    openziti-dev-controller-ctrl-plane-intermediate-issuer   system:serviceaccount:cert-manager:cert-manager   7m15s
openziti-dev-controller-ctrl-plane-identity-t5td6            True                True    openziti-dev-controller-ctrl-plane-intermediate-issuer   system:serviceaccount:cert-manager:cert-manager   7m10s
openziti-dev-controller-ctrl-plane-intermediate-cert-gtpbc   True                True    <redacted>                                               system:serviceaccount:cert-manager:cert-manager   7m16s
openziti-dev-controller-edge-signer-cert-flzqt               True                True    <redacted>                                               system:serviceaccount:cert-manager:cert-manager   7m15s
openziti-dev-controller-web-client-identity-n6flg            True                True    openziti-dev-controller-web-intermediate-issuer          system:serviceaccount:cert-manager:cert-manager   7m16s
openziti-dev-controller-web-identity-cert-bp9qp              True                True    openziti-dev-controller-web-intermediate-issuer          system:serviceaccount:cert-manager:cert-manager   7m12s
openziti-dev-controller-web-intermediate-cert-c9fdb          True                True    <redacted>                                               system:serviceaccount:cert-manager:cert-manager   7m16s
3 Likes