doc: rename documents to README.md
This commit is contained in:
@@ -0,0 +1,123 @@
|
||||
# PKI
|
||||
## root ca
|
||||
vault secrets enable -path=pki_root pki
|
||||
vault secrets tune -max-lease-ttl=87600h pki_root
|
||||
|
||||
vault write -field=certificate pki_root/root/generate/internal \
|
||||
common_name="unkin.net" \
|
||||
issuer_name="UNKIN_ROOTCA_2024" \
|
||||
ttl=87600h > unkinroot_2024_ca.crt
|
||||
|
||||
vault read pki_root/issuer/$(vault list -format=json pki_root/issuers/ | jq -r '.[]') | tail -n 6
|
||||
|
||||
vault write pki_root/roles/2024-servers allow_any_name=true
|
||||
|
||||
vault write pki_root/config/urls \
|
||||
issuing_certificates="$VAULT_ADDR/v1/pki_root/ca" \
|
||||
crl_distribution_points="$VAULT_ADDR/v1/pki_root/crl"
|
||||
|
||||
## intermediate
|
||||
vault secrets enable -path=pki_int pki
|
||||
vault secrets tune -max-lease-ttl=43800h pki_int
|
||||
|
||||
vault write -format=json pki_int/intermediate/generate/internal \
|
||||
common_name="unkin.net Intermediate Authority" \
|
||||
issuer_name="UNKIN_VAULTCA_2024" \
|
||||
| jq -r '.data.csr' > pki_intermediate.csr
|
||||
|
||||
vault write -format=json pki_root/root/sign-intermediate \
|
||||
issuer_ref="UNKIN_ROOTCA_2024" \
|
||||
csr=@pki_intermediate.csr \
|
||||
format=pem_bundle ttl="43800h" \
|
||||
| jq -r '.data.certificate' > intermediate.cert.pem
|
||||
|
||||
vault write pki_int/intermediate/set-signed certificate=@intermediate.cert.pem
|
||||
|
||||
## create role
|
||||
vault write pki_int/roles/servers_default \
|
||||
issuer_ref="$(vault read -field=default pki_int/config/issuers)" \
|
||||
allow_ip_sans=true \
|
||||
allowed_domains="unkin.net, *.unkin.net, localhost" \
|
||||
allow_subdomains=true \
|
||||
allow_glob_domains=true \
|
||||
allow_bare_domains=true \
|
||||
enforce_hostnames=true \
|
||||
allow_any_name=true \
|
||||
max_ttl="2160h" \
|
||||
key_bits=4096 \
|
||||
country="Australia"
|
||||
|
||||
## test generating a domain cert
|
||||
vault write pki_int/issue/servers_default common_name="test.unkin.net" ttl="24h"
|
||||
vault write pki_int/issue/servers_default common_name="test.main.unkin.net" ttl="24h"
|
||||
vault write pki_int/issue/servers_default common_name="*.test.main.unkin.net" ttl="24h"
|
||||
|
||||
## remove expired certificates
|
||||
vault write pki_int/tidy tidy_cert_store=true tidy_revoked_certs=true
|
||||
|
||||
# AUTH
|
||||
## enable approles
|
||||
vault auth enable approle
|
||||
|
||||
# CERTMANAGER
|
||||
## create certmanager policy and token, limit to puppetmaster
|
||||
cat <<EOF > certmanager.hcl
|
||||
path "pki_int/issue/*" {
|
||||
capabilities = ["create", "update", "read"]
|
||||
}
|
||||
path "pki_int/renew/*" {
|
||||
capabilities = ["update"]
|
||||
}
|
||||
path "pki_int/cert/*" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
EOF
|
||||
|
||||
vault policy write certmanager certmanager.hcl
|
||||
|
||||
vault write auth/approle/role/certmanager \
|
||||
bind_secret_id=false \
|
||||
token_policies="certmanager" \
|
||||
token_ttl=30s \
|
||||
token_max_ttl=30s \
|
||||
token_bound_cidrs="198.18.17.3/32,198.18.13.32/32,198.18.13.33/32,198.18.13.34/32"
|
||||
|
||||
## get the certmanager approle id
|
||||
vault read -field=role_id auth/approle/role/certmanager/role-id
|
||||
|
||||
|
||||
# SSH Hostkey Signing
|
||||
|
||||
## create ssh engine, key, set ttl
|
||||
vault secrets enable -path=ssh-host-signer ssh
|
||||
vault write ssh-host-signer/config/ca generate_signing_key=true
|
||||
vault secrets tune -max-lease-ttl=87600h ssh-host-signer
|
||||
|
||||
## create role
|
||||
vault write ssh-host-signer/roles/hostrole \
|
||||
key_type=ca \
|
||||
algorithm_signer=rsa-sha2-256 \
|
||||
ttl=87600h \
|
||||
allow_host_certificates=true \
|
||||
allowed_domains="unkin.net" \
|
||||
allow_subdomains=true \
|
||||
allow_baredomains=true
|
||||
|
||||
## create policy to use hostrole
|
||||
cat <<EOF > sshsign-host.hcl
|
||||
path "ssh-host-signer/sign/hostrole" {
|
||||
capabilities = ["create", "update"]
|
||||
}
|
||||
EOF
|
||||
|
||||
vault policy write sshsign-host-policy sshsign-host.hcl
|
||||
|
||||
vault write auth/approle/role/sshsign-host-role \
|
||||
bind_secret_id=false \
|
||||
token_policies="sshsign-host-policy" \
|
||||
token_ttl=30s \
|
||||
token_max_ttl=30s \
|
||||
token_bound_cidrs="198.18.17.3/32,198.18.13.32/32,198.18.13.33/32,198.18.13.34/32"
|
||||
|
||||
## get the sshsign-host-role approle id
|
||||
vault read -field=role_id auth/approle/role/sshsign-host-role/role-id
|
||||
Reference in New Issue
Block a user