GuyBarros/MY_TLS_LOGIN_SETUP

## MY_TLS_LOGIN_SETUP
################################################ start #################################################

###############################
export VAULT_ADDR=https://vault.hashidemos.io:8200
export VAULT_TOKEN=s.evX


# Set up the PKI Secret Engine
###############################
## Root CA Mount
vault secrets enable -path=root_ca pki
vault secrets tune -max-lease-ttl=87600h root_ca
vault write -format=json root_ca/root/generate/exported common_name="root-ca" ttl=315360000s > ca.json
vault write root_ca/config/urls issuing_certificates="https://vault.eu-guystack.original.aws.hashidemos.io:8200/v1/pki/ca" crl_distribution_points="https://vault.eu-guystack.original.aws.hashidemos.io:8200/v1/pki/crl"

###############################
## Intermediate CA
vault secrets enable -path=int_ca pki
vault secrets tune -max-lease-ttl=43800h int_ca
 vault write -format=json int_ca/intermediate/generate/internal \
 common_name="int_ca" \
 | jq -r '.data.csr' > pki_intermediate.csr

 vault write -format=json root_ca/root/sign-intermediate csr=@pki_intermediate.csr \
 format=pem_bundle ttl="43800h" \
 | jq -r '.data.certificate' > intermediate.cert.pem

vault write int_ca/intermediate/set-signed certificate=@intermediate.cert.pem

###############################
## Roles auth-role
vault write int_ca/roles/vault-cert \
        allow_bare_domains=true \
        allow_subdomains=true \
        allow_glob_domains=true \
        allow_any_name=true \
        allow_ip_sans=true \
        client_flag=true \
        max_ttl="730h" \
        ttl="720h" \
        generate_lease=true

# key_usage='["DigitalSignature", "KeyAgreement", "KeyEncipherment","KeyUsageCertSign",]'


vault auth enable cert

vault policy write vault-cert - <<EOR
path "pki_int/issue/*" {
    capabilities = ["create", "update"]
    }

path "pki_int/certs" {
    capabilities = ["list"]
    }

path "pki_int/revoke" {
    capabilities = ["create", "update"]
    }

path "pki_int/tidy" {
    capabilities = ["create", "update"]
    }

path "pki/cert/ca" {
    capabilities = ["read"]
    }

path "auth/token/renew" {
    capabilities = ["update"]
    }

path "auth/token/renew-self" {
    capabilities = ["update"]
    }
# Roles to create, update secrets
path "/sys/mounts" {
    capabilities = ["read", "update", "list"]
    }
path "/sys/mounts/*" {
    capabilities = ["update", "create"]
    }

path "sys/policies/acl" {
    capabilities = ["read"]
    }

path "secret/*" {
    capabilities = ["read", "create", "update", "delete"]
    }

EOR

vault write -format=json int_ca/issue/vault-cert \
common_name="vault-cert" > return.json

cat return.json | jq -r '.data.certificate' > vault-cert-certificate.pem

cat return.json | jq -r '.data.issuing_ca' > vault-cert-issuing-ca.pem

cat return.json | jq -r '.data.private_key' > vault-cert-private-key.pem


vault login -method=cert -client-cert=vault-cert-certificate.pem -client-key=vault-cert-private-key.pem name=vault-cert


################################ finish #####################################
	################################################ start #################################################

	###############################
	export VAULT_ADDR=https://vault.hashidemos.io:8200
	export VAULT_TOKEN=s.evX


	# Set up the PKI Secret Engine
	###############################
	## Root CA Mount
	vault secrets enable -path=root_ca pki
	vault secrets tune -max-lease-ttl=87600h root_ca
	vault write -format=json root_ca/root/generate/exported common_name="root-ca" ttl=315360000s > ca.json
	vault write root_ca/config/urls issuing_certificates="https://vault.eu-guystack.original.aws.hashidemos.io:8200/v1/pki/ca" crl_distribution_points="https://vault.eu-guystack.original.aws.hashidemos.io:8200/v1/pki/crl"

	###############################
	## Intermediate CA
	vault secrets enable -path=int_ca pki
	vault secrets tune -max-lease-ttl=43800h int_ca
	vault write -format=json int_ca/intermediate/generate/internal \
	common_name="int_ca" \
	\| jq -r '.data.csr' > pki_intermediate.csr

	vault write -format=json root_ca/root/sign-intermediate csr=@pki_intermediate.csr \
	format=pem_bundle ttl="43800h" \
	\| jq -r '.data.certificate' > intermediate.cert.pem

	vault write int_ca/intermediate/set-signed certificate=@intermediate.cert.pem

	###############################
	## Roles auth-role
	vault write int_ca/roles/vault-cert \
	allow_bare_domains=true \
	allow_subdomains=true \
	allow_glob_domains=true \
	allow_any_name=true \
	allow_ip_sans=true \
	client_flag=true \
	max_ttl="730h" \
	ttl="720h" \
	generate_lease=true

	# key_usage='["DigitalSignature", "KeyAgreement", "KeyEncipherment","KeyUsageCertSign",]'


	vault auth enable cert

	vault policy write vault-cert - <<EOR
	path "pki_int/issue/*" {
	capabilities = ["create", "update"]
	}

	path "pki_int/certs" {
	capabilities = ["list"]
	}

	path "pki_int/revoke" {
	capabilities = ["create", "update"]
	}

	path "pki_int/tidy" {
	capabilities = ["create", "update"]
	}

	path "pki/cert/ca" {
	capabilities = ["read"]
	}

	path "auth/token/renew" {
	capabilities = ["update"]
	}

	path "auth/token/renew-self" {
	capabilities = ["update"]
	}
	# Roles to create, update secrets
	path "/sys/mounts" {
	capabilities = ["read", "update", "list"]
	}
	path "/sys/mounts/*" {
	capabilities = ["update", "create"]
	}

	path "sys/policies/acl" {
	capabilities = ["read"]
	}

	path "secret/*" {
	capabilities = ["read", "create", "update", "delete"]
	}

	EOR

	vault write -format=json int_ca/issue/vault-cert \
	common_name="vault-cert" > return.json

	cat return.json \| jq -r '.data.certificate' > vault-cert-certificate.pem

	cat return.json \| jq -r '.data.issuing_ca' > vault-cert-issuing-ca.pem

	cat return.json \| jq -r '.data.private_key' > vault-cert-private-key.pem



	vault login -method=cert -client-cert=vault-cert-certificate.pem -client-key=vault-cert-private-key.pem name=vault-cert


	################################ finish #####################################