CRL Generation problem: followup from https://github.com/hashicorp/vault/issues/20137

[roy3861]

Hi,

So this is a follow up from : #20137
Which my colleague has raised in the past.

So as per, #20137 (comment)

We have created New RootCA with KU Set correctly with same key of Old RootCA. Upgraded vault to latest 1.21.2. And have both Part of Single Mount Path in vault with old RootCA as default issuer.

Now while trying to rotate CRLs i am getting:

`curl "http://root-ca-vault.local/v1/Old-RootCA/crl/rotate" -H "X-Vault-Token: $ROOT_CA_API_TOKEN"

{"request_id":"a28006c7-f5f0-3f88-f9da-4871392e1dee","lease_id":"","renewable":false,"lease_duration":0,"data":{"success":true},"wrap_info":null,"warnings":["Warning 1 during CRL rebuild: warning from local CRL rebuild: Issuer equivalency set with associated keys lacked an issuer with CRL Signing KeyUsage; refusing to rebuild CRL for this group of issuers: "],"auth":null,"mount_type":"pki"}`

And then if i try to get CRL it gives me empty string:

`# curl "http://root-ca-vault.local/v1/Old-RootCA/crl/pem"

`

I also did not understood this work around: #20137 (comment)

is it like to ticking for old RootCA issuer:
Usage
Allowed usages for this issuer. It can always be read.

Following Option?
Signing CRLs

[dosubot]

Yes, you've understood the workaround correctly! The issue is that your new Root CA (with the correct CRL Signing KeyUsage in its certificate) needs to have crl-signing enabled in its Vault issuer configuration.

Here's what's happening: Vault groups issuers with the same key and subject into "equivalency sets". Since your old and new Root CAs share the same key, they're in the same set. Vault needs at least one issuer in that set with CRL signing capability to generate the CRL.

To fix this:

1. Enable CRL signing on your new Root CA (the one with correct KeyUsage):

vault write Old-RootCA/issuer/<new-root-ca-issuer-id> \
    usage="read-only,issuing-certificates,crl-signing,ocsp-signing"

2. Rotate the CRL:

curl "http://root-ca-vault.local/v1/Old-RootCA/crl/rotate" -H "X-Vault-Token: $ROOT_CA_API_TOKEN"

You can verify your issuers' current usage settings with:

vault read Old-RootCA/issuer/<issuer-id>

Important: You cannot enable crl-signing on your old Root CA because Vault validates that the underlying certificate has the CRLSign KeyUsage bit - which your old Root CA lacks. You can only enable it on the new Root CA that has the proper KeyUsage.

Written by @dosu, approved by heatherezell

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}

  

[roy3861]

Hi, @heatherezell

New RootCA already has crl-signing set:

vault read Old-RootCA/issuer/new-issuer-id

crl_distribution_points           []
delta_crl_distribution_points     []
enable_aia_url_templating         false
issuer_id                         <id>
issuer_name                       n/a
issuing_certificates              []
key_id                            <key id>
leaf_not_after_behavior           err
manual_chain                      <nil>
ocsp_servers                      []
revocation_signature_algorithm    n/a
revoked                           false
usage                             crl-signing,issuing-certificates,ocsp-signing,read-only

[roy3861]

Hi, Can you suggest any workaround? We are unsure how to progress.

[heatherezell]

@dosu can you clarify the workaround, or propose other workarounds?

[dosubot]

Since the new issuer shows crl-signing in its usage, let's verify the actual certificate has the CRLSign KeyUsage bit set. Vault validates this when you set the usage, but there may be edge cases during upgrades.

Can you run these diagnostic commands?

1. Verify the new Root CA certificate has CRLSign KeyUsage:

vault read -field=certificate Old-RootCA/issuer/new-issuer-id > new-root.pem
openssl x509 -in new-root.pem -text -noout | grep -A 1 "Key Usage"

Look for "CRL Sign" in the output.

2. Check if both issuers have the same subject (required for equivalency set):

vault read -field=certificate Old-RootCA/issuer/<old-issuer-id> > old-root.pem
openssl x509 -in old-root.pem -subject -noout
openssl x509 -in new-root.pem -subject -noout

The subjects must match exactly for Vault to group them together and use the new issuer's CRL signing capability.

If the new certificate doesn't actually have the CRLSign bit, you'll need to reissue it with the correct KeyUsage. If the subjects differ, they're in separate equivalency sets and the old issuer group still lacks a CRL signer.

Written by @dosu, approved by heatherezell

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}

  

[dosubot]

Here are the workarounds, starting with the most reliable:

Workaround 1: Delete the Old Issuer (Recommended)

Delete the old Root CA issuer that lacks proper KeyUsage:

vault delete Old-RootCA/issuer/<old-issuer-id>

This removes the old issuer and automatically triggers a CRL rebuild. With only the new issuer remaining (which has proper CRLSign KeyUsage), CRL generation should succeed.

Workaround 2: Set the New Issuer as Default

Make sure your new issuer is the default issuer:

vault write Old-RootCA/config/issuers default=<new-issuer-id>

Vault prefers the default issuer when selecting a representative from an equivalency set for CRL signing.

Workaround 3: Restrict the Old Issuer's Usage

Explicitly disable operations on the old issuer:

vault write Old-RootCA/issuer/<old-issuer-id> usage="read-only"

---

Important diagnostic step first: Before trying these, verify your new Root CA certificate actually has the CRLSign KeyUsage bit:

vault read -field=certificate Old-RootCA/issuer/<new-issuer-id> > new-root.pem
openssl x509 -in new-root.pem -text -noout | grep -A 1 "Key Usage"

Look for "CRL Sign" in the output. If it's missing, the certificate itself wasn't generated with the correct KeyUsage, even though Vault's config shows crl-signing.

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}