unkin/puppet-prod
2
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases Wiki Activity

Doc updates:

Browse Source 
- updated issuer names
- updated max-leas-ttl for root/int ca
This commit is contained in:
Ben Vincent 2024-02-25 22:06:56 +11:00
parent 49f405e0bc
commit fd5c3dbce2
1 changed files with 16 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
doc/vault/setup.md
View File

@ -1,9 +1,10 @@
# root ca # root ca
vault secrets enable -path=pki_root pki vault secrets enable -path=pki_root pki
vault secrets tune -max-lease-ttl=87600h pki_root
vault write -field=certificate pki_root/root/generate/internal \ vault write -field=certificate pki_root/root/generate/internal \
common_name="unkin.net" \ common_name="unkin.net" \
issuer_name="unkinroot-2024" \ issuer_name="UNKIN_ROOTCA_2024" \
ttl=87600h > unkinroot_2024_ca.crt ttl=87600h > unkinroot_2024_ca.crt
vault read pki_root/issuer/$(vault list -format=json pki_root/issuers/ | jq -r '.[]') | tail -n 6 vault read pki_root/issuer/$(vault list -format=json pki_root/issuers/ | jq -r '.[]') | tail -n 6
@ -20,11 +21,11 @@
vault write -format=json pki_int/intermediate/generate/internal \ vault write -format=json pki_int/intermediate/generate/internal \
common_name="unkin.net Intermediate Authority" \ common_name="unkin.net Intermediate Authority" \
issuer_name="unkin-dot-net-intermediate" \ issuer_name="UNKIN_VAULTCA_2024" \
| jq -r '.data.csr' > pki_intermediate.csr | jq -r '.data.csr' > pki_intermediate.csr
vault write -format=json pki_root/root/sign-intermediate \ vault write -format=json pki_root/root/sign-intermediate \
issuer_ref="unkinroot-2024" \ issuer_ref="UNKIN_ROOTCA_2024" \
csr=@pki_intermediate.csr \ csr=@pki_intermediate.csr \
format=pem_bundle ttl="43800h" \ format=pem_bundle ttl="43800h" \
| jq -r '.data.certificate' > intermediate.cert.pem | jq -r '.data.certificate' > intermediate.cert.pem
@ -32,17 +33,20 @@
vault write pki_int/intermediate/set-signed certificate=@intermediate.cert.pem vault write pki_int/intermediate/set-signed certificate=@intermediate.cert.pem
# create role # create role
vault write pki_int/roles/unkin-dot-net \ vault write pki_int/roles/servers_default \
issuer_ref="$(vault read -field=default pki_int/config/issuers)" \ issuer_ref="$(vault read -field=default pki_int/config/issuers)" \
allow_ip_sans=true \ allow_ip_sans=true \
allowed_domains="unkin.net" \ allowed_domains="unkin.net" \
allow_subdomains=true \ allow_subdomains=true \
max_ttl="2160h" allow_bare_domains=true \
max_ttl="2160h" \
key_bits=4096 \
country="Australia"
# test generating a domain cert # test generating a domain cert
vault write pki_int/issue/unkin-dot-net common_name="test.unkin.net" ttl="24h" vault write pki_int/issue/servers_default common_name="test.unkin.net" ttl="24h"
vault write pki_int/issue/unkin-dot-net common_name="test.main.unkin.net" ttl="24h" vault write pki_int/issue/servers_default common_name="test.main.unkin.net" ttl="24h"
vault write pki_int/issue/unkin-dot-net common_name="*.test.main.unkin.net" ttl="24h" vault write pki_int/issue/servers_default common_name="*.test.main.unkin.net" ttl="24h"
# remove expired certificates # remove expired certificates