Role Allows Implicit Localhost Issuance

Perform the recommended actions that ensures roles do not unintentionally allow certificates to be issued for localhost-based domains.

This health check ensures that roles do not unintentionally allow certificates to be issued for localhost-based domains. Allowing implicit localhost issuance (via allow_localhost=true) in combination with non-empty allowed_domainsmay pose a security risk by enabling certificates for internal or unintended hostnames.

Health Check Name: role_allows_localhost

Accessed APIs

API Endpoint

Description

LIST /roles

Lists all defined roles

READ /roles/:name

Reads the configuration of a specific role

Configuration Parameters None

Health Check Results

Check Condition

Description

allow_localhost is set to true

The role permits implicit certificate issuance for localhost or localhost-like domains.

allowed_domains contains one or more entries

The role allows issuance for specific domains, which may unintentionally include localhost.

Both conditions (allow_localhost=true and non-empty allowed_domains) are true

A warning is issued, indicating a risk of unintended certificate issuance for localhost.

Recommended Actions

Set allow_localhost=false for all roles.
Update the allowed_domains field to include only explicitly approved domains, avoiding vague or wildcard domain entries that could inadvertently include localhost-style hostnames.

PreviousRoot Certificate Issued Non-CA Leaves NextRole Allows Glob-Based Wildcard Issuance

Last updated 3 months ago

Was this helpful?