# PKI ## root ca vault secrets enable -path=pki_root pki vault secrets tune -max-lease-ttl=87600h pki_root vault write -field=certificate pki_root/root/generate/internal \ common_name="unkin.net" \ issuer_name="UNKIN_ROOTCA_2024" \ ttl=87600h > unkinroot_2024_ca.crt vault read pki_root/issuer/$(vault list -format=json pki_root/issuers/ | jq -r '.[]') | tail -n 6 vault write pki_root/roles/2024-servers allow_any_name=true vault write pki_root/config/urls \ issuing_certificates="$VAULT_ADDR/v1/pki_root/ca" \ crl_distribution_points="$VAULT_ADDR/v1/pki_root/crl" ## intermediate vault secrets enable -path=pki_int pki vault secrets tune -max-lease-ttl=43800h pki_int vault write -format=json pki_int/intermediate/generate/internal \ common_name="unkin.net Intermediate Authority" \ issuer_name="UNKIN_VAULTCA_2024" \ | jq -r '.data.csr' > pki_intermediate.csr vault write -format=json pki_root/root/sign-intermediate \ issuer_ref="UNKIN_ROOTCA_2024" \ csr=@pki_intermediate.csr \ format=pem_bundle ttl="43800h" \ | jq -r '.data.certificate' > intermediate.cert.pem vault write pki_int/intermediate/set-signed certificate=@intermediate.cert.pem ## create role vault write pki_int/roles/servers_default \ issuer_ref="$(vault read -field=default pki_int/config/issuers)" \ allow_ip_sans=true \ allowed_domains="unkin.net, *.unkin.net, localhost" \ allow_subdomains=true \ allow_glob_domains=true \ allow_bare_domains=true \ enforce_hostnames=true \ allow_any_name=true \ max_ttl="2160h" \ key_bits=4096 \ country="Australia" ## test generating a domain cert vault write pki_int/issue/servers_default common_name="test.unkin.net" ttl="24h" vault write pki_int/issue/servers_default common_name="test.main.unkin.net" ttl="24h" vault write pki_int/issue/servers_default common_name="*.test.main.unkin.net" ttl="24h" ## remove expired certificates vault write pki_int/tidy tidy_cert_store=true tidy_revoked_certs=true # AUTH ## enable approles vault auth enable approle # CERTMANAGER ## create certmanager policy and token, limit to puppetmaster cat < certmanager.hcl path "pki_int/issue/*" { capabilities = ["create", "update", "read"] } path "pki_int/renew/*" { capabilities = ["update"] } path "pki_int/cert/*" { capabilities = ["read"] } EOF vault policy write certmanager certmanager.hcl vault write auth/approle/role/certmanager \ bind_secret_id=false \ token_policies="certmanager" \ token_ttl=30s \ token_max_ttl=30s \ token_bound_cidrs="198.18.17.3/32,198.18.13.32/32,198.18.13.33/32,198.18.13.34/32" ## get the certmanager approle id vault read -field=role_id auth/approle/role/certmanager/role-id # SSH Hostkey Signing ## create ssh engine, key, set ttl vault secrets enable -path=ssh-host-signer ssh vault write ssh-host-signer/config/ca generate_signing_key=true vault secrets tune -max-lease-ttl=87600h ssh-host-signer ## create role vault write ssh-host-signer/roles/hostrole \ key_type=ca \ algorithm_signer=rsa-sha2-256 \ ttl=87600h \ allow_host_certificates=true \ allowed_domains="unkin.net" \ allow_subdomains=true \ allow_baredomains=true ## create policy to use hostrole cat < sshsign-host.hcl path "ssh-host-signer/sign/hostrole" { capabilities = ["create", "update"] } EOF vault policy write sshsign-host-policy sshsign-host.hcl vault write auth/approle/role/sshsign-host-role \ bind_secret_id=false \ token_policies="sshsign-host-policy" \ token_ttl=30s \ token_max_ttl=30s \ token_bound_cidrs="198.18.17.3/32,198.18.13.32/32,198.18.13.33/32,198.18.13.34/32" ## get the sshsign-host-role approle id vault read -field=role_id auth/approle/role/sshsign-host-role/role-id