Created
March 15, 2017 21:00
-
-
Save Toady00/bf3dc9db6b827ffb798b925b112637e6 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| vault mount \ | |
| --path levvel \ | |
| --description "Example CA for vault demo" \ | |
| pki | |
| vault mount-tune \ | |
| --max-lease-ttl 87600h \ | |
| levvel | |
| vault write \ | |
| levvel/root/generate/internal \ | |
| common_name="Levvel Vault Blog Root CA" \ | |
| ttl=87600h \ | |
| key_bits=4096 \ | |
| exclude_cn_from_sans=true | |
| vault write \ | |
| levvel/config/urls \ | |
| issuing_certificates=http://vault.demo.levvel:8200/v1/levvel | |
| vault mount \ | |
| --path levvel_ops \ | |
| --description "Intermediate VA for vault demo" \ | |
| pki | |
| vault mount-tune \ | |
| --max-lease-ttl 87600h \ | |
| levvel_ops | |
| vault write \ | |
| levvel_ops/intermediate/generate/internal \ | |
| common_name="Levvel Vault Blog Intermediate CA" \ | |
| ttl=87600h \ | |
| key_bits=4096 \ | |
| exclude_cn_from_sans=true | |
| #Copy the certificate that's returned into a file named int.csr in the current directory. | |
| #The file should start with `-----BEGIN CERTIFICATE REQUEST-----` and end with | |
| #`-----END CERTIFICATE REQUEST-----` | |
| vault write \ | |
| levvel/root/sign-intermediate \ | |
| [email protected] \ | |
| common_name="Levvel Vault Blog Intermediate CA" \ | |
| ttl=26280h | |
| #There should be two certs returned this time. One is `certificate` the other is | |
| #the `issuing_ca` certificate. You want the `certificate`. Copy this certificate | |
| #into a file. This time name the file int.crt. Place it in the current directory | |
| #again. | |
| vault write \ | |
| levvel_ops/intermediate/set-signed \ | |
| [email protected] | |
| vault write \ | |
| levvel_ops/config/urls \ | |
| issuing_certificates="http://vault.demo.levvel:8200/va/levvel_ops/ca" \ | |
| crl_distribution_points="http://vault.demo.levvel:8200/v1/levvel_ops/crl" | |
| vault write \ | |
| levvel_ops/roles/consul \ | |
| key_bits=2048 \ | |
| max_ttl=8760h \ | |
| allowed_domains=server.vpc-cae5acac.consul \ | |
| allow_bare_domains=true | |
| vault write \ | |
| levvel_ops/issue/consul \ | |
| common_name="server.vpc-cae5acac.consul" \ | |
| ttl=720h \ | |
| format=pem |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| {{ with secret "levvel_ops/issue/consul" "common_name=server.vpc-cae5aca.consul" }} | |
| {{ .Data.serial_number }} | |
| {{ .Data.certificate | plugin "write_cert_plugin" "/etc/consul.d/ssl/server.vpc-cae5aca.consul.crt" "consul" }} | |
| {{ .Data.private_key | plugin "write_cert" "/etc/consul.d/ssl/server.vpc-cae5aca.consul.key" "consul" }} | |
| {{ .Data.issuing_ca | plugin "write_cert" "/etc/consul.d/ssl/ca.crt" "consul" }} | |
| {{ end }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "datacenter": "vpc-cae5acac", | |
| "data_dir": "/var/lib/consul", | |
| "log_level": "INFO", | |
| "node_name": "consul1", | |
| "server": true, | |
| "ui": true, | |
| "encrypt": "K9ppVslll6vxUIBSvtg0Zw==", | |
| "ca_file": "/etc/consul.d/ssl/ca.crt", | |
| "cert_file": "/etc/consul.d/ssl/server.vpc-cae5aca.consul.crt", | |
| "key_file": "/etc/consul.d/ssl/server.vpc-cae5aca.consul.key", | |
| "verify_incoming": true, | |
| "verify_outgoing": true, | |
| "verify_server_hostname": true | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| vault { | |
| address = "http://vault.demo.levvel:8200" | |
| token = "b71a0d28-47e5-4cea-fb5c-d1dee418602f" | |
| renew_token = false | |
| } | |
| template { | |
| source = "/etc/consul-template.d/consul_cert.ctmpl" | |
| destination = "/etc/consul.d/ssl/server.vpc-cae5acac.consul.serial" | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| set -ex | |
| file=$1 | |
| owner=$2 | |
| data=$3 | |
| echo $data > $file | |
| chmod 0600 $file | |
| chown $owner:$owner $file | |
| exit |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment