Overview

The Vault 1.17.x upgrade guide contains information on deprecations, important or breaking changes, and remediation recommendations for anyone upgrading from Vault 1.16. Please read carefully.

Important changes

PKI sign-intermediate now truncates notAfter field to signing issuer

Prior to 1.17.x, Vault allowed the calculated sign-intermediate notAfter field to go beyond the signing issuer notAfter field. The extended value lead to a CA chain that would not validate properly. As of 1.17.x, Vault truncates the intermediary notAfter value to the signing issuer notAfter if the calculated field is greater.

How to opt out

You can use the new enforce_leaf_not_after_behavior flag on the sign-intermediate API along with the leaf_not_after_behavior flag for the signing issuer to opt out of the truncating behavior.

When you set enforce_leaf_not_after_behavior to true, the sign-intermediate API uses the leaf_not_after_behavior value configured for the signing issuer to control truncation the behavior. Setting the issuer leaf_not_after_behavior field to permit and enforce_leaf_not_after_behavior to true restores the legacy behavior.

Known issues and workarounds

PKI OCSP GET requests can return HTTP redirect responses

If a base64 encoded OCSP request contains consecutive '/' characters, the GET request will return a 301 permanent redirect response. If the redirection is followed, the request will not decode as it will not be a properly base64 encoded request.

As a workaround, OCSP POST requests can be used which are unaffected.

Impacted versions

Affects all current versions of 1.12.x, 1.13.x, 1.14.x, 1.15.x, 1.16.x