PKI: Should not allow the root certificate to be 'revoked'.

[tveastman]

Describe the bug

The Vault PKI secret backend allows you to revoke its own root CA with a call to pki/revoke.

Once done, your Root CA is added to the CRL, and it's impossible to undo.

Because the CRL is signed by the now-revoked CA certificate, the CRL is now paradoxically invalid.

I don't know what the correct behaviour here is supposed to be in PKI terms, but revoking the Root CA seems to permanently invalidate either the CA (if the CRL is treated as valid) or the CRL itself (since it surely can't be trusted to invalidate its own signing certificate).

I looked online for opinions:

• https://security.stackexchange.com/questions/90254/can-a-rootca-be-revoked
• https://stackoverflow.com/questions/5930529/how-is-revocation-of-a-root-certificate-handled

My un-informed opinion is that it should be impossible to add the Root CA's serial number to the CRL signed by that very Root CA.

To Reproduce

1. Mount the secret backend and generate a root cert:

$ vault secrets enable pki
Success! Enabled the pki secrets engine at: pki/

$ vault write pki/root/generate/internal "common_name=my root ca" ttl=8760h
Key              Value
---              -----
certificate      (...etc...)
expiration       1533787178
issuing_ca       (...etc...)
serial_number    32:5f:9b:9c:43:60:10:dd:31:66:96:d6:5d:de:ad:50:48:fe:67:9c

2. Revoke the freshly generated Root CA cert:

$ vault write pki/revoke serial_number=32:5f:9b:9c:43:60:10:dd:31:66:96:d6:5d:de:ad:50:48:fe:67:9c
Key                        Value
---                        -----
revocation_time            1531195230
revocation_time_rfc3339    2018-07-10T04:00:30.761357418Z

3. Grab the CRL and see what it says

Certificate Revocation List (CRL):
        Version 2 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: /CN=my root ca
        Last Update: Jul 10 04:00:30 2018 GMT
        Next Update: Jul 13 04:00:30 2018 GMT

Revoked Certificates:
    Serial Number: 325F9B9C436010DD316696D65DDEAD5048FE679C
        Revocation Date: Jul 10 04:00:30 2018 GMT
    Signature Algorithm: sha256WithRSAEncryption
         (... etc ...)

Expected behavior

1. I think it should be impossible to add the Root CA's serial number to the CRL.
2. If for some reason it should be possible, then it would be nice to be able to remove certificates from the CRL if you, for example, accidentally revoked your Root CA.
3. I'm not sure, but I don't think the Root CA should even be listed under pki/certs, is it there for a reason? I thought only certs you issued would show up there.

• Vault Server Version 0.10.3

[jefferai]

Seems like a good idea to not allow revoking itself. You could always generate a new trusted CRL from elsewhere and add the root CA to it; but really if you were at a point where you wanted to revoke the root you're in kind of a bad failure mode anyways because due to soft-fail CRL mechanisms it may take up to 6 days or so for clients to even notice, so what you'd want to do is just update systems' CA bundles ASAP to not include the bad root.

[jefferai]

Fixed by #5134

[abhisheksinghrathod]

Hi @jefferai ,
I had a use case where we want to revoke the Root CA. It goes as below
We are using Hashicorp Vault v1.7.1 to manage the PKIs for our internal services to communicate to each other.
So the model is of Core service and Spoke services. By default, All Spoke services can talk to Core service and vice versa BUT 2 spoke services should not be able to talk to each other. To enable such kind of communication every Core service will have a Root Certificate and will issue Intermediate Certificates for spoke services.

Now if for some reason we have to Revoke the intermediate cert it can be easily done by /pki/revoke API but for Root CA it is not possible. I even tried to DELETE the ROOT CA and tried to create a new one but Vault does not delete the old ROOT CA and creates a new one and both are valid.

I want to invalidate the old ROOT CA so that all intermediate certificates signed by it are also invalidated.
Do you have any insight on how this can be achieved in Vault? Any pointers will be helpful, I have tried googling and did lot of experiments with Vault APIs but not able to achieve this user case.

Thanks,
Abhishek

[suikast42]

Hi @jefferai , I had a use case where we want to revoke the Root CA. It goes as below We are using Hashicorp Vault v1.7.1 to manage the PKIs for our internal services to communicate to each other. So the model is of Core service and Spoke services. By default, All Spoke services can talk to Core service and vice versa BUT 2 spoke services should not be able to talk to each other. To enable such kind of communication every Core service will have a Root Certificate and will issue Intermediate Certificates for spoke services.

Now if for some reason we have to Revoke the intermediate cert it can be easily done by /pki/revoke API but for Root CA it is not possible. I even tried to DELETE the ROOT CA and tried to create a new one but Vault does not delete the old ROOT CA and creates a new one and both are valid.

I want to invalidate the old ROOT CA so that all intermediate certificates signed by it are also invalidated. Do you have any insight on how this can be achieved in Vault? Any pointers will be helpful, I have tried googling and did lot of experiments with Vault APIs but not able to achieve this user case.

Thanks, Abhishek

I am facing the same issue. Did you find something out ?

[lethargosapatheia]

I am also trying to get rid of the CA certificate, and because this bug is (justifiably) fixed, I've no idea how I'm supposed to properly delete it.

[benapetr]

Hello,

It seems you can delete them using CLI:

vault list pki/issuers

# now identify the one you want to delete

vault delete pki/issuer/ID