GuyBarros · April 29, 2021 10:44
diff --git a/MY_TLS_LOGIN_SETUP b/MY_TLS_LOGIN_SETUP
 ################################################ start #################################################

 ###############################
 export VAULT_ADDR=https://vault.hashidemos.io:8200
 export VAULT_TOKEN=s.evX


 # Set up the PKI Secret Engine
 ###############################
 ## Root CA Mount
 vault secrets enable -path=root_ca pki
 vault secrets tune -max-lease-ttl=87600h root_ca
 vault write -format=json root_ca/root/generate/exported common_name="root-ca" ttl=315360000s > ca.json
 vault write root_ca/config/urls issuing_certificates="https://vault.eu-guystack.original.aws.hashidemos.io:8200/v1/pki/ca" crl_distribution_points="https://vault.eu-guystack.original.aws.hashidemos.io:8200/v1/pki/crl"

 ###############################
 ## Intermediate CA
 vault secrets enable -path=int_ca pki
 vault secrets tune -max-lease-ttl=43800h int_ca
 vault write -format=json int_ca/intermediate/generate/internal \
 common_name="int_ca" \
 | jq -r '.data.csr' > pki_intermediate.csr

 vault write -format=json root_ca/root/sign-intermediate csr=@pki_intermediate.csr \
 format=pem_bundle ttl="43800h" \
 | jq -r '.data.certificate' > intermediate.cert.pem

 vault write int_ca/intermediate/set-signed [email protected]

 ###############################
 ## Roles auth-role
 vault write int_ca/roles/vault-cert \
        allow_bare_domains=true \
        allow_subdomains=true \
        allow_glob_domains=true \
        allow_any_name=true \
        allow_ip_sans=true \
        client_flag=true \
        max_ttl="730h" \
        ttl="720h" \
        generate_lease=true

 # key_usage='["DigitalSignature", "KeyAgreement", "KeyEncipherment","KeyUsageCertSign",]' 


 vault auth enable cert 

 vault policy write vault-cert - <<EOR
 path "pki_int/issue/*" {
    capabilities = ["create", "update"]
    }

 path "pki_int/certs" {
    capabilities = ["list"]
    }

 path "pki_int/revoke" {
    capabilities = ["create", "update"]
    }

 path "pki_int/tidy" {
    capabilities = ["create", "update"]
    }

 path "pki/cert/ca" {
    capabilities = ["read"]
    }

 path "auth/token/renew" {
    capabilities = ["update"]
    }

 path "auth/token/renew-self" {
    capabilities = ["update"]
    }
 # Roles to create, update secrets
 path "/sys/mounts" {
    capabilities = ["read", "update", "list"]
    }
 path "/sys/mounts/*" {
    capabilities = ["update", "create"]
    }

 path "sys/policies/acl" {
    capabilities = ["read"]
    }

 path "secret/*" {
    capabilities = ["read", "create", "update", "delete"]
    }

 EOR

 vault write -format=json int_ca/issue/vault-cert \
 common_name="vault-cert" > return.json 

 cat return.json | jq -r '.data.certificate' > vault-cert-certificate.pem 

 cat return.json | jq -r '.data.issuing_ca' > vault-cert-issuing-ca.pem 

 cat return.json | jq -r '.data.private_key' > vault-cert-private-key.pem



 vault login -method=cert -client-cert=vault-cert-certificate.pem -client-key=vault-cert-private-key.pem name=vault-cert


 ################################ finish #####################################
	################################################ start #################################################

	###############################
	export VAULT_ADDR=https://vault.hashidemos.io:8200
	export VAULT_TOKEN=s.evX


	# Set up the PKI Secret Engine
	###############################
	## Root CA Mount
	vault secrets enable -path=root_ca pki
	vault secrets tune -max-lease-ttl=87600h root_ca
	vault write -format=json root_ca/root/generate/exported common_name="root-ca" ttl=315360000s > ca.json
	vault write root_ca/config/urls issuing_certificates="https://vault.eu-guystack.original.aws.hashidemos.io:8200/v1/pki/ca" crl_distribution_points="https://vault.eu-guystack.original.aws.hashidemos.io:8200/v1/pki/crl"

	###############################
	## Intermediate CA
	vault secrets enable -path=int_ca pki
	vault secrets tune -max-lease-ttl=43800h int_ca
	vault write -format=json int_ca/intermediate/generate/internal \
	common_name="int_ca" \
	\| jq -r '.data.csr' > pki_intermediate.csr

	vault write -format=json root_ca/root/sign-intermediate csr=@pki_intermediate.csr \
	format=pem_bundle ttl="43800h" \
	\| jq -r '.data.certificate' > intermediate.cert.pem

	vault write int_ca/intermediate/set-signed [email protected]

	###############################
	## Roles auth-role
	vault write int_ca/roles/vault-cert \
	allow_bare_domains=true \
	allow_subdomains=true \
	allow_glob_domains=true \
	allow_any_name=true \
	allow_ip_sans=true \
	client_flag=true \
	max_ttl="730h" \
	ttl="720h" \
	generate_lease=true

	# key_usage='["DigitalSignature", "KeyAgreement", "KeyEncipherment","KeyUsageCertSign",]'


	vault auth enable cert

	vault policy write vault-cert - <<EOR
	path "pki_int/issue/*" {
	capabilities = ["create", "update"]
	}

	path "pki_int/certs" {
	capabilities = ["list"]
	}

	path "pki_int/revoke" {
	capabilities = ["create", "update"]
	}

	path "pki_int/tidy" {
	capabilities = ["create", "update"]
	}

	path "pki/cert/ca" {
	capabilities = ["read"]
	}

	path "auth/token/renew" {
	capabilities = ["update"]
	}

	path "auth/token/renew-self" {
	capabilities = ["update"]
	}
	# Roles to create, update secrets
	path "/sys/mounts" {
	capabilities = ["read", "update", "list"]
	}
	path "/sys/mounts/*" {
	capabilities = ["update", "create"]
	}

	path "sys/policies/acl" {
	capabilities = ["read"]
	}

	path "secret/*" {
	capabilities = ["read", "create", "update", "delete"]
	}

	EOR

	vault write -format=json int_ca/issue/vault-cert \
	common_name="vault-cert" > return.json

	cat return.json \| jq -r '.data.certificate' > vault-cert-certificate.pem

	cat return.json \| jq -r '.data.issuing_ca' > vault-cert-issuing-ca.pem

	cat return.json \| jq -r '.data.private_key' > vault-cert-private-key.pem



	vault login -method=cert -client-cert=vault-cert-certificate.pem -client-key=vault-cert-private-key.pem name=vault-cert


	################################ finish #####################################