PKI Engine: Error parsing metadata when creating ed25519 or ec root cert

[nwerker]

Describe the bug
When generating a new root certificate of the key_type ed25519 or ec I get an error regarding that the metadata couldn't be parsed and therefore I can't see the common_name or expiration dates. This problem does not happen when I use rsa as key_type. In the Vault UI, I get following Info Message:

The generated certificate is valid for the set amount, but not being able to see the expiration date via API or CLI makes it hard to monitor. Are there any limitations I am not aware of?

To Reproduce
Steps to reproduce the behavior:

1. Run vault secrets enable pki
2. Run vault secrets tune --max-lease-ttl=87600h pki
3. Run vault write -field=certificate pki/root/generate/internal common_name="root" ttl=87600h key_type=ed25519
4. See error / screenshot above

I also tried this with lower TTls or with and without common_name resulting in the same error.

Expected behavior
Root Cert supports ed25519 with all metadata so it can be queried by API or CLI!

Environment:

• Vault Server Version: 1.9.1
• Vault CLI Version: 1.9.1
• Server Operating System/Architecture: RHEL 8.5 (Server and Client)

Vault server configuration file(s):

Can be provided, if needed. The cluster is using raft as storage backend.

[pcuttriss]

Having the same issue with a signed intermediate certificate. Checking with openssl provides sane output from the pem file. Vault cannot successfully parse the certificate metadata. Intermediate using ec with 384 bits.
Signed by offline root using ec key with 384 bits.
Vault 1.9.2

[pcuttriss]

Did a bit more testing on this....as it's a development system it's easy to mess about. Pulled in the offline root CA to Vaultas part of creating a new pki endpoint.
Created a role specifying RSA as a key type and metadata displays fine.
Created a role specifying EC as a key type and metadata fails to display.
This appears to be specific to the role specified key type rather than the upstream root key type in my setup.

[cipherboy]

Are there any limitations I am not aware of?

Our web UI uses the node-forge library which has an outstanding PR for ECDSA support (and lacks support for ed25519). This error message was added recently to still display some information about the certificate, rather than erring out completely.

As mentioned by @pcuttriss, perhaps fetching the cert (which can be done unauthenticated) and parsed by openssl suffices? This can be made into a nice one-liner:

$ openssl x509 -text -noout <<< "$(curl -sSL http://localhost:8200/v1/pki/ca/pem)"
$ openssl x509 -startdate -enddate -noout <<< "$(curl -sSL http://localhost:8200/v1/pki/ca/pem)"

I agree the vault CLI lacks support for reading or displaying attributes, this does seem like a worthwhile improvement:

$ vault read pki/ca/pem
Error reading pki/ca/pem: invalid character '-' in numeric literal

Perhaps a -format=raw option would be enough alongside openssl...? If someone wants to write the PR, I'd be happy to review.

/cc @hellobontempo