diff --git a/doc/vault/setup.md b/doc/vault/setup.md index 291f06d..f2a956e 100644 --- a/doc/vault/setup.md +++ b/doc/vault/setup.md @@ -1,4 +1,5 @@ -# root ca +# PKI +## root ca vault secrets enable -path=pki_root pki vault secrets tune -max-lease-ttl=87600h pki_root @@ -15,7 +16,7 @@ issuing_certificates="$VAULT_ADDR/v1/pki_root/ca" \ crl_distribution_points="$VAULT_ADDR/v1/pki_root/crl" -# intermediate +## intermediate vault secrets enable -path=pki_int pki vault secrets tune -max-lease-ttl=43800h pki_int @@ -32,7 +33,7 @@ vault write pki_int/intermediate/set-signed certificate=@intermediate.cert.pem -# create role +## create role vault write pki_int/roles/servers_default \ issuer_ref="$(vault read -field=default pki_int/config/issuers)" \ allow_ip_sans=true \ @@ -46,18 +47,20 @@ key_bits=4096 \ country="Australia" -# test generating a domain cert +## test generating a domain cert vault write pki_int/issue/servers_default common_name="test.unkin.net" ttl="24h" vault write pki_int/issue/servers_default common_name="test.main.unkin.net" ttl="24h" vault write pki_int/issue/servers_default common_name="*.test.main.unkin.net" ttl="24h" -# remove expired certificates +## remove expired certificates vault write pki_int/tidy tidy_cert_store=true tidy_revoked_certs=true -# enable approles +# AUTH +## enable approles vault auth enable approle -# create certmanager policy and token, limit to puppetmaster +# CERTMANAGER +## create certmanager policy and token, limit to puppetmaster cat < certmanager.hcl path "pki_int/issue/*" { capabilities = ["create", "update", "read"] @@ -79,5 +82,5 @@ token_max_ttl=30s \ token_bound_cidrs="198.18.17.3/32,198.18.13.32/32,198.18.13.33/32,198.18.13.34/32" -# get the certmanager approle id +## get the certmanager approle id vault read -field=role_id auth/approle/role/certmanager/role-id