unkin/puppet-prod
2
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases Wiki Activity
ae6547aea8
puppet-prod/doc/vault/setup.md

2.9 KiB
Raw Blame History

root ca

vault secrets enable -path=pki_root pki
vault secrets tune -max-lease-ttl=87600h pki_root

vault write -field=certificate pki_root/root/generate/internal \
     common_name="unkin.net" \
     issuer_name="UNKIN_ROOTCA_2024" \
     ttl=87600h > unkinroot_2024_ca.crt

vault read pki_root/issuer/$(vault list -format=json pki_root/issuers/ | jq -r '.[]') | tail -n 6

vault write pki_root/roles/2024-servers allow_any_name=true

vault write pki_root/config/urls \
     issuing_certificates="$VAULT_ADDR/v1/pki_root/ca" \
     crl_distribution_points="$VAULT_ADDR/v1/pki_root/crl"

intermediate

vault secrets enable -path=pki_int pki
vault secrets tune -max-lease-ttl=43800h pki_int

vault write -format=json pki_int/intermediate/generate/internal \
     common_name="unkin.net Intermediate Authority" \
     issuer_name="UNKIN_VAULTCA_2024" \
     | jq -r '.data.csr' > pki_intermediate.csr

vault write -format=json pki_root/root/sign-intermediate \
     issuer_ref="UNKIN_ROOTCA_2024" \
     csr=@pki_intermediate.csr \
     format=pem_bundle ttl="43800h" \
     | jq -r '.data.certificate' > intermediate.cert.pem

vault write pki_int/intermediate/set-signed certificate=@intermediate.cert.pem

create role

vault write pki_int/roles/servers_default \
    issuer_ref="$(vault read -field=default pki_int/config/issuers)" \
    allow_ip_sans=true \
    allowed_domains="unkin.net, *.unkin.net, localhost" \
    allow_subdomains=true \
    allow_glob_domains=true \
    allow_bare_domains=true \
    enforce_hostnames=true \
    allow_any_name=true \
    max_ttl="2160h" \
    key_bits=4096 \
    country="Australia"

test generating a domain cert

vault write pki_int/issue/servers_default common_name="test.unkin.net" ttl="24h"
vault write pki_int/issue/servers_default common_name="test.main.unkin.net" ttl="24h"
vault write pki_int/issue/servers_default common_name="*.test.main.unkin.net" ttl="24h"

remove expired certificates

vault write pki_int/tidy tidy_cert_store=true tidy_revoked_certs=true

enable approles

vault auth enable approle

create certmanager policy and token, limit to puppetmaster

cat <<EOF > certmanager.hcl
path "pki_int/issue/*" {
  capabilities = ["create", "update", "read"]
}
path "pki_int/renew/*" {
  capabilities = ["update"]
}
path "pki_int/cert/*" {
  capabilities = ["read"]
}
EOF

vault policy write certmanager certmanager.hcl

vault write auth/approle/role/certmanager \
    bind_secret_id=false \
    token_policies="certmanager" \
    token_ttl=30s \
    token_max_ttl=30s \
    token_bound_cidrs="198.18.17.3/32,198.18.13.32/32,198.18.13.33/32,198.18.13.34/32"

get the certmanager approle id

vault read -field=role_id auth/approle/role/certmanager/role-id