vault 1.11+ non disruptive pki rotation example script

vault-non-disruptive-pki-rotation_sh

#!/usr/bin/env zsh

###########
# Root CA #
###########

vault secrets enable pki

vault secrets tune -max-lease-ttl=87600h pki

vault write -field=certificate pki/root/generate/internal \
    common_name="example.com" \
    issuer_name="root-2022" \
    ttl=87600h > root_2022_ca.pem

vault list pki/issuers

# vault write pki/roles/2022-servers allow_any_name=true

vault write pki/config/urls \
    issuing_certificates="$VAULT_ADDR/v1/pki/ca" \
    crl_distribution_points="$VAULT_ADDR/v1/pki/crl"

###################
# Intermediate CA #
###################

vault secrets enable -path=pki_int pki

vault secrets tune -max-lease-ttl=43800h pki_int

vault write -format=json pki_int/intermediate/generate/internal \
    common_name="example.com Intermediate Authority" \
    | jq -r '.data.csr' > intermediate_2022_ca.csr

vault write -format=json pki/root/sign-intermediate \
    issuer_ref="root-2022" \
    csr=@intermediate_2022_ca.csr \
    format=pem_bundle ttl="43800h" \
    | jq -r '.data.certificate' > intermediate_2022_ca.pem

vault write pki_int/issuer/$(vault write -format=json pki_int/intermediate/set-signed certificate=@intermediate_2022_ca.pem | jq -r '.data.mapping | keys[1]') issuer_name="intermediate-2022"

###########################
# Create Certificate Role #
###########################

vault write pki_int/roles/example-dot-com \
    issuer_ref="$(vault read -field=default pki_int/config/issuers)" \
    allowed_domains="example.com" \
    allow_subdomains=true \
    max_ttl="720h"

######################
# Issue Certificates #
######################

vault write -field=certificate pki_int/issue/example-dot-com common_name="test.example.com" ttl="24h" | tee cert1.pem

############################
# Intermediate CA Rotation #
############################
#For cross-signing Encryption keys and common_name need to remain the same.

vault write -format=json pki_int/intermediate/cross-sign \
    common_name="example.com Intermediate Authority" \
    | jq -r '.data.csr' > intermediate_2023_ca.csr

vault write -format=json pki/root/sign-intermediate \
    issuer_ref="root-2022" \
    csr=@intermediate_2023_ca.csr \
    format=pem_bundle ttl="43800h" \
    | jq -r '.data.certificate' > intermediate_2023_ca.pem

vault write pki_int/issuer/$(vault write -format=json pki_int/intermediate/set-signed certificate=@intermediate_2023_ca.pem | jq -r '.data.mapping | keys[1]') issuer_name="intermediate-2023"

vault write pki_int/config/issuers default="intermediate-2023"

######################
# Issue Certificates #
######################

vault write -field=certificate pki_int/issue/example-dot-com common_name="test.example.com" ttl="24h" | tee cert2.pem

######################
# Verify Certificate #
######################

openssl verify -CAfile root_2022_ca.pem -untrusted intermediate_2022_ca.pem cert1.pem
openssl verify -CAfile root_2022_ca.pem -untrusted intermediate_2023_ca.pem cert2.pem
openssl verify -CAfile root_2022_ca.pem -untrusted intermediate_2022_ca.pem cert2.pem
openssl verify -CAfile root_2022_ca.pem -untrusted intermediate_2023_ca.pem cert1.pem

######################
# Revoke Certificate #
######################

vault write pki_int/revoke serial_number="<serial_number>"

#############
# Parse CRL #
#############

vault read -field=certificate pki_int/cert/crl | openssl crl -text -noout

#################
# Tidy Up Files #
#################

rm -f \
    root_2022_ca.pem \
    intermediate_2022_ca.csr \
    intermediate_2022_ca.pem \
    intermediate_2023_ca.csr \
    intermediate_2023_ca.pem \
    cert1.pem \
    cert2.pem