64a5aecfdd
This patch changes a certificate issued with Vault issuer as follows: - `ca.crt`: a root certificate, returned in `ca_chain` from Vault - `tls.crt`: a leaf certificate, plus intermediate certificates if available in `ca_chain` i.e. `tls.crt` won't include a root certificate This is a breaking change; Vault issuer had included an issuing CA as a chain in `tls.crt`, but after this change it will no longer include a root certificate when the issuing CA is not an intermediate. For `ca.crt`, it had included a issuing CA only, which can be an intermediate. `tls.crt` is not expected to contain a root certificate, as generally clients must trust root certificates in advance. It is considered redundant transmitting a root certificate from servers to clients during TLS handshake. Other issuers, e.g. ACME, behave the same. This fixes https://github.com/jetstack/cert-manager/issues/2166 This patch is based on https://github.com/jetstack/cert-manager/pull/3340 Co-authored-by: Chris Randles <randles.chris@gmail.com> Signed-off-by: Sorah Fukumori <her@sorah.jp> |
||
|---|---|---|
| .. | ||
| api/validation | ||
| apis | ||
| vault | ||
| BUILD.bazel | ||