What are the required certificate usages for Custom-Issuer and Spaces CA in Upbound Spaces?
Last updated: June 11, 2026
Context
When configuring a Vault-based ClusterIssuer for Upbound Spaces (Self-Hosted), it is important to correctly scope the Vault PKI roles and certificate usages for each certificate. This article clarifies the required certificate usages for each certificate across the two supported approaches: one that retains a Spaces intermediate CA (spaces-ca), and one that uses only leaf certificates.
Answer
Approach 1: Single ClusterIssuer with Spaces Intermediate CA (spaces-ca retained)
In this approach, the custom issuer signs all certificates directly, including spaces-ca. The spaces-ca certificate is used for internal TLS bundle management and does not directly issue any leaf certificates.
Certificate | Required Usages |
| cert sign, crl sign |
| server auth |
| digital signature, key encipherment |
| digital signature, key encipherment |
Approach 2: No Spaces CA (Leaf Certificates Only)
In this approach, the custom issuer issues all of the same leaf certificates as Approach 1, minus spaces-ca. All usages remain the same as listed above for the respective certificates.
Do any leaf certificates require cert-sign or crl-sign?
No. In both approaches, no leaf certificates require cert-sign or crl-sign. Only spaces-ca (Approach 1 only) requires these usages.
Do any certificates require the signing usage?
No. In the current design, no certificates require the signing usage. The mxp-hostcluster-certs certificate, which previously had this usage, has been removed.
This ensures that Vault PKI roles can be correctly and minimally scoped, and that CA capabilities are only enabled where functionally necessary (i.e., only for spaces-ca in Approach 1).