Doc updates:

- updated issuer names - updated max-leas-ttl for root/int ca
2024-02-25 22:06:56 +11:00 · 2024-02-25 22:06:56 +11:00 · fd5c3dbce2
commit fd5c3dbce2
parent 49f405e0bc
1 changed files with 16 additions and 12 deletions
--- a/doc/vault/setup.md
+++ b/doc/vault/setup.md
@ -1,9 +1,10 @@
 # root ca
    vault secrets enable -path=pki_root pki
+    vault secrets tune -max-lease-ttl=87600h pki_root

    vault write -field=certificate pki_root/root/generate/internal \
         common_name="unkin.net" \
-         issuer_name="unkinroot-2024" \
+         issuer_name="UNKIN_ROOTCA_2024" \
         ttl=87600h > unkinroot_2024_ca.crt

    vault read pki_root/issuer/$(vault list -format=json pki_root/issuers/ | jq -r '.[]') | tail -n 6
@ -20,11 +21,11 @@

    vault write -format=json pki_int/intermediate/generate/internal \
         common_name="unkin.net Intermediate Authority" \
-         issuer_name="unkin-dot-net-intermediate" \
+         issuer_name="UNKIN_VAULTCA_2024" \
         | jq -r '.data.csr' > pki_intermediate.csr

    vault write -format=json pki_root/root/sign-intermediate \
-         issuer_ref="unkinroot-2024" \
+         issuer_ref="UNKIN_ROOTCA_2024" \
         csr=@pki_intermediate.csr \
         format=pem_bundle ttl="43800h" \
         | jq -r '.data.certificate' > intermediate.cert.pem
@ -32,17 +33,20 @@
    vault write pki_int/intermediate/set-signed certificate=@intermediate.cert.pem

 # create role
-    vault write pki_int/roles/unkin-dot-net \
-         issuer_ref="$(vault read -field=default pki_int/config/issuers)" \
-         allow_ip_sans=true \
-         allowed_domains="unkin.net" \
-         allow_subdomains=true \
-         max_ttl="2160h"
+    vault write pki_int/roles/servers_default \
+        issuer_ref="$(vault read -field=default pki_int/config/issuers)" \
+        allow_ip_sans=true \
+        allowed_domains="unkin.net" \
+        allow_subdomains=true \
+        allow_bare_domains=true \
+        max_ttl="2160h" \
+        key_bits=4096 \
+        country="Australia"

 # test generating a domain cert
-    vault write pki_int/issue/unkin-dot-net common_name="test.unkin.net" ttl="24h"
-    vault write pki_int/issue/unkin-dot-net common_name="test.main.unkin.net" ttl="24h"
-    vault write pki_int/issue/unkin-dot-net common_name="*.test.main.unkin.net" ttl="24h"
+    vault write pki_int/issue/servers_default common_name="test.unkin.net" ttl="24h"
+    vault write pki_int/issue/servers_default common_name="test.main.unkin.net" ttl="24h"
+    vault write pki_int/issue/servers_default common_name="*.test.main.unkin.net" ttl="24h"


 # remove expired certificates