# root ca
    vault secrets enable -path=pki_root pki
    vault secrets tune -max-lease-ttl=87600h pki_root

    vault write -field=certificate pki_root/root/generate/internal \
         common_name="unkin.net" \
         issuer_name="UNKIN_ROOTCA_2024" \
         ttl=87600h > unkinroot_2024_ca.crt

    vault read pki_root/issuer/$(vault list -format=json pki_root/issuers/ | jq -r '.[]') | tail -n 6

    vault write pki_root/roles/2024-servers allow_any_name=true

    vault write pki_root/config/urls \
         issuing_certificates="$VAULT_ADDR/v1/pki_root/ca" \
         crl_distribution_points="$VAULT_ADDR/v1/pki_root/crl"

# intermediate
    vault secrets enable -path=pki_int pki
    vault secrets tune -max-lease-ttl=43800h pki_int

    vault write -format=json pki_int/intermediate/generate/internal \
         common_name="unkin.net Intermediate Authority" \
         issuer_name="UNKIN_VAULTCA_2024" \
         | jq -r '.data.csr' > pki_intermediate.csr

    vault write -format=json pki_root/root/sign-intermediate \
         issuer_ref="UNKIN_ROOTCA_2024" \
         csr=@pki_intermediate.csr \
         format=pem_bundle ttl="43800h" \
         | jq -r '.data.certificate' > intermediate.cert.pem

    vault write pki_int/intermediate/set-signed certificate=@intermediate.cert.pem

# create role
    vault write pki_int/roles/servers_default \
        issuer_ref="$(vault read -field=default pki_int/config/issuers)" \
        allow_ip_sans=true \
        allowed_domains="unkin.net,prod*" \
        allow_subdomains=true \
        allow_bare_domains=true \
        allow_glob_domains=true \
        max_ttl="2160h" \
        key_bits=4096 \
        country="Australia"

# test generating a domain cert
    vault write pki_int/issue/servers_default common_name="test.unkin.net" ttl="24h"
    vault write pki_int/issue/servers_default common_name="test.main.unkin.net" ttl="24h"
    vault write pki_int/issue/servers_default common_name="*.test.main.unkin.net" ttl="24h"


# remove expired certificates
    vault write pki_int/tidy tidy_cert_store=true tidy_revoked_certs=true

# enable approles
    vault auth enable approle

# create certmanager policy and token, limit to puppetmaster
    cat <<EOF > certmanager.hcl
    path "pki_int/issue/*" {
      capabilities = ["create", "update", "read"]
    }
    path "pki_int/renew/*" {
      capabilities = ["update"]
    }
    path "pki_int/cert/*" {
      capabilities = ["read"]
    }
    EOF

    vault policy write certmanager certmanager.hcl

    vault write auth/approle/role/certmanager \
        bind_secret_id=false \
        token_policies="certmanager" \
        token_ttl=30s \
        token_max_ttl=30s \
        token_bound_cidrs="198.18.17.3/32"

# get the certmanager approle id
    vault read -field=role_id auth/approle/role/certmanager/role-id