Ben Vincent
fe05c86463
- add vault module to puppetfile - define class to manage the install and config of vault - manage the datavol and raft storage - manage the unzip and other compression tools - define custom unseal script and service - add documentation on initial setup of vault
49 lines
1.8 KiB
Markdown
49 lines
1.8 KiB
Markdown
# root ca
|
|
vault secrets enable -path=pki_root pki
|
|
|
|
vault write -field=certificate pki_root/root/generate/internal \
|
|
common_name="unkin.net" \
|
|
issuer_name="unkinroot-2024" \
|
|
ttl=87600h > unkinroot_2024_ca.crt
|
|
|
|
vault read pki_root/issuer/$(vault list -format=json pki_root/issuers/ | jq -r '.[]') | tail -n 6
|
|
|
|
vault write pki_root/roles/2024-servers allow_any_name=true
|
|
|
|
vault write pki_root/config/urls \
|
|
issuing_certificates="$VAULT_ADDR/v1/pki_root/ca" \
|
|
crl_distribution_points="$VAULT_ADDR/v1/pki_root/crl"
|
|
|
|
# intermediate
|
|
vault secrets enable -path=pki_int pki
|
|
vault secrets tune -max-lease-ttl=43800h pki_int
|
|
|
|
vault write -format=json pki_int/intermediate/generate/internal \
|
|
common_name="unkin.net Intermediate Authority" \
|
|
issuer_name="unkin-dot-net-intermediate" \
|
|
| jq -r '.data.csr' > pki_intermediate.csr
|
|
|
|
vault write -format=json pki_root/root/sign-intermediate \
|
|
issuer_ref="unkinroot-2024" \
|
|
csr=@pki_intermediate.csr \
|
|
format=pem_bundle ttl="43800h" \
|
|
| jq -r '.data.certificate' > intermediate.cert.pem
|
|
|
|
vault write pki_int/intermediate/set-signed certificate=@intermediate.cert.pem
|
|
|
|
# create role
|
|
vault write pki_int/roles/unkin-dot-net \
|
|
issuer_ref="$(vault read -field=default pki_int/config/issuers)" \
|
|
allowed_domains="unkin.net" \
|
|
allow_subdomains=true \
|
|
max_ttl="2160h"
|
|
|
|
# test generating a domain cert
|
|
vault write pki_int/issue/unkin-dot-net common_name="test.unkin.net" ttl="24h"
|
|
vault write pki_int/issue/unkin-dot-net common_name="test.main.unkin.net" ttl="24h"
|
|
vault write pki_int/issue/unkin-dot-net common_name="*.test.main.unkin.net" ttl="24h"
|
|
|
|
|
|
# remove expired certificates
|
|
vault write pki_int/tidy tidy_cert_store=true tidy_revoked_certs=true
|