From fd5c3dbce2036ad748d06d661672b1bfef332809 Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Sun, 25 Feb 2024 22:06:56 +1100
Subject: [PATCH] Doc updates:

- updated issuer names
- updated max-leas-ttl for root/int ca
---
 doc/vault/setup.md | 28 ++++++++++++++++------------
 1 file changed, 16 insertions(+), 12 deletions(-)

diff --git a/doc/vault/setup.md b/doc/vault/setup.md
index 8e4f23b..33a8d03 100644
--- a/doc/vault/setup.md
+++ b/doc/vault/setup.md
@@ -1,9 +1,10 @@
 # root ca
     vault secrets enable -path=pki_root pki
+    vault secrets tune -max-lease-ttl=87600h pki_root
 
     vault write -field=certificate pki_root/root/generate/internal \
          common_name="unkin.net" \
-         issuer_name="unkinroot-2024" \
+         issuer_name="UNKIN_ROOTCA_2024" \
          ttl=87600h > unkinroot_2024_ca.crt
 
     vault read pki_root/issuer/$(vault list -format=json pki_root/issuers/ | jq -r '.[]') | tail -n 6
@@ -20,11 +21,11 @@
 
     vault write -format=json pki_int/intermediate/generate/internal \
          common_name="unkin.net Intermediate Authority" \
-         issuer_name="unkin-dot-net-intermediate" \
+         issuer_name="UNKIN_VAULTCA_2024" \
          | jq -r '.data.csr' > pki_intermediate.csr
 
     vault write -format=json pki_root/root/sign-intermediate \
-         issuer_ref="unkinroot-2024" \
+         issuer_ref="UNKIN_ROOTCA_2024" \
          csr=@pki_intermediate.csr \
          format=pem_bundle ttl="43800h" \
          | jq -r '.data.certificate' > intermediate.cert.pem
@@ -32,17 +33,20 @@
     vault write pki_int/intermediate/set-signed certificate=@intermediate.cert.pem
 
 # create role
-    vault write pki_int/roles/unkin-dot-net \
-         issuer_ref="$(vault read -field=default pki_int/config/issuers)" \
-         allow_ip_sans=true \
-         allowed_domains="unkin.net" \
-         allow_subdomains=true \
-         max_ttl="2160h"
+    vault write pki_int/roles/servers_default \
+        issuer_ref="$(vault read -field=default pki_int/config/issuers)" \
+        allow_ip_sans=true \
+        allowed_domains="unkin.net" \
+        allow_subdomains=true \
+        allow_bare_domains=true \
+        max_ttl="2160h" \
+        key_bits=4096 \
+        country="Australia"
 
 # test generating a domain cert
-    vault write pki_int/issue/unkin-dot-net common_name="test.unkin.net" ttl="24h"
-    vault write pki_int/issue/unkin-dot-net common_name="test.main.unkin.net" ttl="24h"
-    vault write pki_int/issue/unkin-dot-net common_name="*.test.main.unkin.net" ttl="24h"
+    vault write pki_int/issue/servers_default common_name="test.unkin.net" ttl="24h"
+    vault write pki_int/issue/servers_default common_name="test.main.unkin.net" ttl="24h"
+    vault write pki_int/issue/servers_default common_name="*.test.main.unkin.net" ttl="24h"
 
 
 # remove expired certificates