From 2c1434a713883059e5842b0a2067016216e33034 Mon Sep 17 00:00:00 2001
From: Victor Rodriguez <vrizo@hashicorp.com>
Date: Tue, 4 Mar 2025 13:45:41 -0500
Subject: [PATCH 1/2] Add key_usage support to
 vault_pki_secret_backend_root_sign_intermediate.

---
 ...i_secret_backend_root_sign_intermediate.go | 10 ++++++++++
 ...ret_backend_root_sign_intermediate_test.go | 19 +++++++++++++++++++
 2 files changed, 29 insertions(+)

diff --git a/vault/resource_pki_secret_backend_root_sign_intermediate.go b/vault/resource_pki_secret_backend_root_sign_intermediate.go
index dd1de5c405..92873110aa 100644
--- a/vault/resource_pki_secret_backend_root_sign_intermediate.go
+++ b/vault/resource_pki_secret_backend_root_sign_intermediate.go
@@ -115,6 +115,15 @@ func pkiSecretBackendRootSignIntermediateResource() *schema.Resource {
 				ForceNew:    true,
 				Default:     -1,
 			},
+			consts.FieldKeyUsage: {
+				Type:        schema.TypeList,
+				Optional:    true,
+				Description: "Specify the key usages to be added to the existing set of key usages, CRL,CertSign, on the generated certificate.",
+				ForceNew:    true,
+				Elem: &schema.Schema{
+					Type: schema.TypeString,
+				},
+			},
 			consts.FieldExcludeCNFromSans: {
 				Type:        schema.TypeBool,
 				Optional:    true,
@@ -361,6 +370,7 @@ func pkiSecretBackendRootSignIntermediateCreate(ctx context.Context, d *schema.R
 		consts.FieldURISans,
 		consts.FieldOtherSans,
 		consts.FieldPermittedDNSDomains,
+		consts.FieldKeyUsage,
 	}
 
 	// Whether name constraints fields (other than permitted_dns_domains), are supproted,
diff --git a/vault/resource_pki_secret_backend_root_sign_intermediate_test.go b/vault/resource_pki_secret_backend_root_sign_intermediate_test.go
index 229ad47def..5d28025b49 100644
--- a/vault/resource_pki_secret_backend_root_sign_intermediate_test.go
+++ b/vault/resource_pki_secret_backend_root_sign_intermediate_test.go
@@ -202,6 +202,25 @@ func TestPkiSecretBackendRootSignIntermediate_basic_default(t *testing.T) {
 					resource.TestCheckResourceAttr(resourceName, consts.FieldUsePSS, "true"),
 				),
 			},
+			{
+				SkipFunc: skip(provider.VaultVersion118),
+				Config: testPkiSecretBackendRootSignIntermediateConfig_basic(rootPath, intermediatePath, false,
+					`key_usage = ["KeyAgreement", "CertSign"]`),
+				Check: resource.ComposeTestCheckFunc(
+					checks,
+					resource.TestCheckResourceAttr(resourceName, consts.FieldKeyUsage+".#", "2"),
+					resource.TestCheckResourceAttr(resourceName, consts.FieldKeyUsage+".0", "KeyAgreement"),
+					resource.TestCheckResourceAttr(resourceName, consts.FieldKeyUsage+".1", "CertSign"),
+					testPKICert(resourceName, func(cert *x509.Certificate) error {
+						if 0 == cert.KeyUsage&x509.KeyUsageKeyAgreement || 0 == cert.KeyUsage&x509.KeyUsageCertSign {
+							return fmt.Errorf("KeyUsage expected %b, got %b",
+								x509.KeyUsageKeyAgreement|x509.KeyUsageCertSign,
+								cert.KeyUsage)
+						}
+						return nil
+					}),
+				),
+			},
 		},
 	})
 }

From 11710aa57aed016d0b28112dce037798f578fb41 Mon Sep 17 00:00:00 2001
From: Kit Haines <khaines@mit.edu>
Date: Thu, 3 Apr 2025 13:44:53 -0400
Subject: [PATCH 2/2] Update test to key_usage that is supported on a CA
 certificate.

---
 ...source_pki_secret_backend_root_sign_intermediate_test.go | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/vault/resource_pki_secret_backend_root_sign_intermediate_test.go b/vault/resource_pki_secret_backend_root_sign_intermediate_test.go
index 5d28025b49..cffe5ddafa 100644
--- a/vault/resource_pki_secret_backend_root_sign_intermediate_test.go
+++ b/vault/resource_pki_secret_backend_root_sign_intermediate_test.go
@@ -205,16 +205,16 @@ func TestPkiSecretBackendRootSignIntermediate_basic_default(t *testing.T) {
 			{
 				SkipFunc: skip(provider.VaultVersion118),
 				Config: testPkiSecretBackendRootSignIntermediateConfig_basic(rootPath, intermediatePath, false,
-					`key_usage = ["KeyAgreement", "CertSign"]`),
+					`key_usage = ["DigitalSignature", "CertSign"]`),
 				Check: resource.ComposeTestCheckFunc(
 					checks,
 					resource.TestCheckResourceAttr(resourceName, consts.FieldKeyUsage+".#", "2"),
-					resource.TestCheckResourceAttr(resourceName, consts.FieldKeyUsage+".0", "KeyAgreement"),
+					resource.TestCheckResourceAttr(resourceName, consts.FieldKeyUsage+".0", "DigitialSignature"),
 					resource.TestCheckResourceAttr(resourceName, consts.FieldKeyUsage+".1", "CertSign"),
 					testPKICert(resourceName, func(cert *x509.Certificate) error {
 						if 0 == cert.KeyUsage&x509.KeyUsageKeyAgreement || 0 == cert.KeyUsage&x509.KeyUsageCertSign {
 							return fmt.Errorf("KeyUsage expected %b, got %b",
-								x509.KeyUsageKeyAgreement|x509.KeyUsageCertSign,
+								x509.KeyUsageDigitalSignature|x509.KeyUsageCertSign|x509.KeyUsageCRLSign,
 								cert.KeyUsage)
 						}
 						return nil