Created
May 7, 2016 23:05
-
-
Save bhouse/ee0e079dbd0c278a906fd6252fc1a7a3 to your computer and use it in GitHub Desktop.
Setting Up Hashicorp Vault with an intermediate CA based on https://gist.github.com/jefferai/092d2cd728ff66089f17
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash -e | |
| # Setup a Root CA in vault | |
| # Generate and sign an Intermediate cert | |
| # | |
| # Requires: | |
| # * A running vault server already initialzed and unsealed | |
| # * Environment variable VAULT_TOKEN is set | |
| # * vault cli (https://www.vaultproject.io) | |
| # * httpie (https://github.com/jkbrzt/httpie) | |
| # * jq (https://stedolan.github.io/jq/) | |
| # | |
| # Note: we use httpie + jq because vault write commands aren't able to return | |
| # formatted json for parsing | |
| # Mount a PKI backend for the root Certificate authority | |
| echo "Creating root CA" | |
| vault mount -path=root_ca pki | |
| # Set the max TTL for the root CA to 10 years | |
| echo "Tuning root CA" | |
| vault mount-tune -max-lease-ttl="87600h" root_ca | |
| # Generate the root CA keypair, the key is stored internally to vault | |
| echo "Generating root CA cert" | |
| vault write root_ca/root/generate/internal common_name="Acme Inc. Root CA" ttl="87600h" | |
| # TODO: setup CRL and OCSP urls | |
| # Mount the intermediate CA for the zone | |
| echo "Creating intermediate CA" | |
| vault mount -path=intermediate_acme_com pki | |
| # Set the max TTL for acme.com certs to 1 year | |
| echo "Tuning intermediate CA" | |
| vault mount-tune -max-lease-ttl=8760h intermediate_acme_com | |
| # Generate CSR for acme.com to be signed by the root CA, the key is stored | |
| # internally to vault | |
| echo "Generating intermediate CSR" | |
| http POST http://127.0.0.1:8200/v1/intermediate_acme_com/intermediate/generate/internal X-Vault-Token:$VAULT_TOKEN common_name=acme.com | jq -r .data.csr > acme_com.csr | |
| # Generate and sign the acme.com certificate as an intermediate CA | |
| echo "Get intermediate cert" | |
| http POST http://127.0.0.1:8200/v1/root_ca/root/sign-intermediate X-Vault-Token:$VAULT_TOKEN ttl="8760h" csr=@acme_com.csr | jq -r .data.certificate > acme_com.crt | |
| # Add signed acme.com certificate to intermediate CA backend | |
| echo "Add intermediate cert" | |
| vault write intermediate_acme_com/intermediate/set-signed certificate=@acme_com.crt | |
| # Create role for issuing acme.com certificates | |
| # Max least time is 14 days | |
| echo "Create a role for subdomain certs" | |
| vault write intermediate_acme_com/roles/acme_com allowed_domains="acme.com" lease_max="336h" allow_subdomains=true | |
| # Issue a cert for an acme.com subdomain valid for 1 week | |
| echo "Issue a subdomain cert" | |
| http POST http://127.0.0.1:8200/v1/intermediate_acme_com/issue/acme_com X-Vault-Token:$VAULT_TOKEN common_name="foo.acme.com" ttl="168h" | jq -r .data.private_key,.data.certificate,.data.issuing_ca > foo_acme_com.crt | |
| echo "Intermediate CA cert:" | |
| openssl x509 -in acme_com.crt -noout -subject -issuer | |
| echo "Subdomain Cert:" | |
| openssl x509 -in foo_acme_com.crt -noout -subject -issuer |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
For pulling down and updating client key/cert: https://github.com/issacg/vault-pki-client