Minor follow-ups to hashicorp#16865 (hashicorp#20220) (hashicorp#20222)

* Minor follow-ups to hashicorp#16865 Fix PKI issuer upgrade logic when upgrading to 1.12 or later, to actually turn off the issuer crl-signing usage when it intended to. Fix minor typo in docs. * changelog Co-authored-by: Max Bowsher <maxbowsher@gmail.com>
fopina · Apr 18, 2023 · 73f8213 · 73f8213
1 parent d8cf0fe
commit 73f8213
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 2 deletions.
diff --git a/builtin/logical/pki/storage.go b/builtin/logical/pki/storage.go
@@ -706,7 +706,7 @@ func (sc *storageContext) upgradeIssuerIfRequired(issuer *issuerEntry) *issuerEn
 		// Remove CRL signing usage if it exists on the issuer but doesn't
 		// exist in the KU of the x509 certificate.
 		if hadCRL && (cert.KeyUsage&x509.KeyUsageCRLSign) == 0 {
-			issuer.Usage.ToggleUsage(OCSPSigningUsage)
+			issuer.Usage.ToggleUsage(CRLSigningUsage)
 		}
 
 		// Handle our new OCSPSigning usage flag for earlier versions. If we

diff --git a/changelog/20220.txt b/changelog/20220.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+pki: Fix automatically turning off CRL signing on upgrade to Vault >= 1.12, if CA Key Usage disallows it
+```
diff --git a/website/content/api-docs/secret/pki.mdx b/website/content/api-docs/secret/pki.mdx
@@ -2058,7 +2058,7 @@ imported entries present in the same bundle).
    issuers. This means the returned certificate _may_ differ in encoding from
    the one provided on subsequent re-imports of the same issuer or key.
 
-~> Note: This import may fail due to CRL rebuilding issuers or other potential
+~> Note: This import may fail due to CRL rebuilding issues or other potential
    issues; this may impact long-term use of these issuers, but some issuers or
    keys may still be imported as a result of this process.