GuyBarros/manual_pki.sh

## manual_pki.sh
export VAULT_ADDR=https://localhost:8200
export VAULT_TOKEN=root
CHILD_CA=admin/kms

# Root CA
vault secrets enable -path=pki_root pki
# tune to 10 years
vault secrets tune -max-lease-ttl=87600h pki_root

# Generate internal certificate
vault write -field=certificate pki_root/root/generate/internal \
     common_name="example.com" \
     issuer_name="root-2024" \
     ttl=87600h > root_2024_ca.crt

# Configure root CA CRL and CA public endpoint
vault write pki/config/urls \
     issuing_certificates="$VAULT_ADDR/v1/pki_root/ca" \
     crl_distribution_points="$VAULT_ADDR/v1/pki_root/crl"


# Int CA in different namespace
# Mount the secret engine in different namespace
vault secrets enable -path=pki_int -namespace=$CHILD_CA pki

# Tune to 5 years
vault secrets tune -max-lease-ttl=43800h -namespace=$CHILD_CA pki_int

# Create the certificate signing request
vault write -format=json -namespace=$CHILD_CA pki_int/intermediate/generate/internal \
     common_name="example.com Intermediate Authority" \
     | jq -r '.data.csr' > pki_intermediate.csr

# Sign the generated csr with the ca root
vault write -format=json pki_root/root/sign-intermediate \
     csr=@pki_intermediate.csr \
      ttl="43800h" \
     | jq -r '.data.certificate' > intermediate.cert.pem

# Add the signed cert to the int ca
vault write -namespace=$CHILD_CA pki_int/intermediate/set-signed certificate=@intermediate.cert.pem

# Create leaf CA (Issuing CA)
vault write -namespace=$CHILD_CA pki_int/roles/example-dot-com \
     allowed_domains="example.com" \
     allow_subdomains=true \
     max_ttl="720h"


# test leaf CA
vault write -namespace=$CHILD_CA pki_int/issue/example-dot-com common_name="test.example.com" ttl="24h"
	export VAULT_ADDR=https://localhost:8200
	export VAULT_TOKEN=root
	CHILD_CA=admin/kms

	# Root CA
	vault secrets enable -path=pki_root pki
	# tune to 10 years
	vault secrets tune -max-lease-ttl=87600h pki_root

	# Generate internal certificate
	vault write -field=certificate pki_root/root/generate/internal \
	common_name="example.com" \
	issuer_name="root-2024" \
	ttl=87600h > root_2024_ca.crt

	# Configure root CA CRL and CA public endpoint
	vault write pki/config/urls \
	issuing_certificates="$VAULT_ADDR/v1/pki_root/ca" \
	crl_distribution_points="$VAULT_ADDR/v1/pki_root/crl"


	# Int CA in different namespace
	# Mount the secret engine in different namespace
	vault secrets enable -path=pki_int -namespace=$CHILD_CA pki

	# Tune to 5 years
	vault secrets tune -max-lease-ttl=43800h -namespace=$CHILD_CA pki_int

	# Create the certificate signing request
	vault write -format=json -namespace=$CHILD_CA pki_int/intermediate/generate/internal \
	common_name="example.com Intermediate Authority" \
	\| jq -r '.data.csr' > pki_intermediate.csr

	# Sign the generated csr with the ca root
	vault write -format=json pki_root/root/sign-intermediate \
	csr=@pki_intermediate.csr \
	ttl="43800h" \
	\| jq -r '.data.certificate' > intermediate.cert.pem

	# Add the signed cert to the int ca
	vault write -namespace=$CHILD_CA pki_int/intermediate/set-signed certificate=@intermediate.cert.pem

	# Create leaf CA (Issuing CA)
	vault write -namespace=$CHILD_CA pki_int/roles/example-dot-com \
	allowed_domains="example.com" \
	allow_subdomains=true \
	max_ttl="720h"


	# test leaf CA
	vault write -namespace=$CHILD_CA pki_int/issue/example-dot-com common_name="test.example.com" ttl="24h"