# root ca
    vault secrets enable -path=pki_root pki

    vault write -field=certificate pki_root/root/generate/internal \
         common_name="unkin.net" \
         issuer_name="unkinroot-2024" \
         ttl=87600h > unkinroot_2024_ca.crt

    vault read pki_root/issuer/$(vault list -format=json pki_root/issuers/ | jq -r '.[]') | tail -n 6

    vault write pki_root/roles/2024-servers allow_any_name=true

    vault write pki_root/config/urls \
         issuing_certificates="$VAULT_ADDR/v1/pki_root/ca" \
         crl_distribution_points="$VAULT_ADDR/v1/pki_root/crl"

# intermediate
    vault secrets enable -path=pki_int pki
    vault secrets tune -max-lease-ttl=43800h pki_int

    vault write -format=json pki_int/intermediate/generate/internal \
         common_name="unkin.net Intermediate Authority" \
         issuer_name="unkin-dot-net-intermediate" \
         | jq -r '.data.csr' > pki_intermediate.csr

    vault write -format=json pki_root/root/sign-intermediate \
         issuer_ref="unkinroot-2024" \
         csr=@pki_intermediate.csr \
         format=pem_bundle ttl="43800h" \
         | jq -r '.data.certificate' > intermediate.cert.pem

    vault write pki_int/intermediate/set-signed certificate=@intermediate.cert.pem

# create role
    vault write pki_int/roles/unkin-dot-net \
         issuer_ref="$(vault read -field=default pki_int/config/issuers)" \
         allowed_domains="unkin.net" \
         allow_subdomains=true \
         max_ttl="2160h"

# test generating a domain cert
    vault write pki_int/issue/unkin-dot-net common_name="test.unkin.net" ttl="24h"
    vault write pki_int/issue/unkin-dot-net common_name="test.main.unkin.net" ttl="24h"
    vault write pki_int/issue/unkin-dot-net common_name="*.test.main.unkin.net" ttl="24h"


# remove expired certificates
    vault write pki_int/tidy tidy_cert_store=true tidy_revoked_certs=true