User certificates with empty principals?

[Brian Candler]

On 21/02/2021 22:05, Rory Campbell-Lange wrote:
> Can one not configure vault to never issue certificates without a
> principals list? If not perhaps Hashicorp can be persuaded to add the
> option.

Not as far as I can see, and I don't want to raise a feature request 
without a valid use case.

*Host* certificates may be the driver.  ssh-keygen suggests that a host 
certificate with no principals can masquerade as any host (but I haven't 
tested it yet).