GuyBarros/vault-non-disruptive-pki-rotation_sh

## vault-non-disruptive-pki-rotation_sh
#!/usr/bin/env zsh

###########
# Root CA #
###########

vault secrets enable pki

vault secrets tune -max-lease-ttl=87600h pki

vault write -field=certificate pki/root/generate/internal \
    common_name="example.com" \
    issuer_name="root-2022" \
    ttl=87600h > root_2022_ca.pem

vault list pki/issuers

# vault write pki/roles/2022-servers allow_any_name=true

vault write pki/config/urls \
    issuing_certificates="$VAULT_ADDR/v1/pki/ca" \
    crl_distribution_points="$VAULT_ADDR/v1/pki/crl"

###################
# Intermediate CA #
###################

vault secrets enable -path=pki_int pki

vault secrets tune -max-lease-ttl=43800h pki_int

vault write -format=json pki_int/intermediate/generate/internal \
    common_name="example.com Intermediate Authority" \
    | jq -r '.data.csr' > intermediate_2022_ca.csr

vault write -format=json pki/root/sign-intermediate \
    issuer_ref="root-2022" \
    csr=@intermediate_2022_ca.csr \
    format=pem_bundle ttl="43800h" \
    | jq -r '.data.certificate' > intermediate_2022_ca.pem

vault write pki_int/issuer/$(vault write -format=json pki_int/intermediate/set-signed certificate=@intermediate_2022_ca.pem | jq -r '.data.mapping | keys[1]') issuer_name="intermediate-2022"

###########################
# Create Certificate Role #
###########################

vault write pki_int/roles/example-dot-com \
    issuer_ref="$(vault read -field=default pki_int/config/issuers)" \
    allowed_domains="example.com" \
    allow_subdomains=true \
    max_ttl="720h"

######################
# Issue Certificates #
######################

vault write -field=certificate pki_int/issue/example-dot-com common_name="test.example.com" ttl="24h" | tee cert1.pem

############################
# Intermediate CA Rotation #
############################
#For cross-signing Encryption keys and common_name need to remain the same.

vault write -format=json pki_int/intermediate/cross-sign \
    common_name="example.com Intermediate Authority" \
    | jq -r '.data.csr' > intermediate_2023_ca.csr

vault write -format=json pki/root/sign-intermediate \
    issuer_ref="root-2022" \
    csr=@intermediate_2023_ca.csr \
    format=pem_bundle ttl="43800h" \
    | jq -r '.data.certificate' > intermediate_2023_ca.pem

vault write pki_int/issuer/$(vault write -format=json pki_int/intermediate/set-signed certificate=@intermediate_2023_ca.pem | jq -r '.data.mapping | keys[1]') issuer_name="intermediate-2023"

vault write pki_int/config/issuers default="intermediate-2023"

######################
# Issue Certificates #
######################

vault write -field=certificate pki_int/issue/example-dot-com common_name="test.example.com" ttl="24h" | tee cert2.pem

######################
# Verify Certificate #
######################

openssl verify -CAfile root_2022_ca.pem -untrusted intermediate_2022_ca.pem cert1.pem
openssl verify -CAfile root_2022_ca.pem -untrusted intermediate_2023_ca.pem cert2.pem
openssl verify -CAfile root_2022_ca.pem -untrusted intermediate_2022_ca.pem cert2.pem
openssl verify -CAfile root_2022_ca.pem -untrusted intermediate_2023_ca.pem cert1.pem

######################
# Revoke Certificate #
######################

vault write pki_int/revoke serial_number="<serial_number>"

#############
# Parse CRL #
#############

vault read -field=certificate pki_int/cert/crl | openssl crl -text -noout

#################
# Tidy Up Files #
#################

rm -f \
    root_2022_ca.pem \
    intermediate_2022_ca.csr \
    intermediate_2022_ca.pem \
    intermediate_2023_ca.csr \
    intermediate_2023_ca.pem \
    cert1.pem \
    cert2.pem
	#!/usr/bin/env zsh

	###########
	# Root CA #
	###########

	vault secrets enable pki

	vault secrets tune -max-lease-ttl=87600h pki

	vault write -field=certificate pki/root/generate/internal \
	common_name="example.com" \
	issuer_name="root-2022" \
	ttl=87600h > root_2022_ca.pem

	vault list pki/issuers

	# vault write pki/roles/2022-servers allow_any_name=true

	vault write pki/config/urls \
	issuing_certificates="$VAULT_ADDR/v1/pki/ca" \
	crl_distribution_points="$VAULT_ADDR/v1/pki/crl"

	###################
	# Intermediate CA #
	###################

	vault secrets enable -path=pki_int pki

	vault secrets tune -max-lease-ttl=43800h pki_int

	vault write -format=json pki_int/intermediate/generate/internal \
	common_name="example.com Intermediate Authority" \
	\| jq -r '.data.csr' > intermediate_2022_ca.csr

	vault write -format=json pki/root/sign-intermediate \
	issuer_ref="root-2022" \
	csr=@intermediate_2022_ca.csr \
	format=pem_bundle ttl="43800h" \
	\| jq -r '.data.certificate' > intermediate_2022_ca.pem

	vault write pki_int/issuer/$(vault write -format=json pki_int/intermediate/set-signed certificate=@intermediate_2022_ca.pem \| jq -r '.data.mapping \| keys[1]') issuer_name="intermediate-2022"

	###########################
	# Create Certificate Role #
	###########################

	vault write pki_int/roles/example-dot-com \
	issuer_ref="$(vault read -field=default pki_int/config/issuers)" \
	allowed_domains="example.com" \
	allow_subdomains=true \
	max_ttl="720h"

	######################
	# Issue Certificates #
	######################

	vault write -field=certificate pki_int/issue/example-dot-com common_name="test.example.com" ttl="24h" \| tee cert1.pem

	############################
	# Intermediate CA Rotation #
	############################
	#For cross-signing Encryption keys and common_name need to remain the same.

	vault write -format=json pki_int/intermediate/cross-sign \
	common_name="example.com Intermediate Authority" \
	\| jq -r '.data.csr' > intermediate_2023_ca.csr

	vault write -format=json pki/root/sign-intermediate \
	issuer_ref="root-2022" \
	csr=@intermediate_2023_ca.csr \
	format=pem_bundle ttl="43800h" \
	\| jq -r '.data.certificate' > intermediate_2023_ca.pem

	vault write pki_int/issuer/$(vault write -format=json pki_int/intermediate/set-signed certificate=@intermediate_2023_ca.pem \| jq -r '.data.mapping \| keys[1]') issuer_name="intermediate-2023"

	vault write pki_int/config/issuers default="intermediate-2023"

	######################
	# Issue Certificates #
	######################

	vault write -field=certificate pki_int/issue/example-dot-com common_name="test.example.com" ttl="24h" \| tee cert2.pem

	######################
	# Verify Certificate #
	######################

	openssl verify -CAfile root_2022_ca.pem -untrusted intermediate_2022_ca.pem cert1.pem
	openssl verify -CAfile root_2022_ca.pem -untrusted intermediate_2023_ca.pem cert2.pem
	openssl verify -CAfile root_2022_ca.pem -untrusted intermediate_2022_ca.pem cert2.pem
	openssl verify -CAfile root_2022_ca.pem -untrusted intermediate_2023_ca.pem cert1.pem

	######################
	# Revoke Certificate #
	######################

	vault write pki_int/revoke serial_number="<serial_number>"

	#############
	# Parse CRL #
	#############

	vault read -field=certificate pki_int/cert/crl \| openssl crl -text -noout

	#################
	# Tidy Up Files #
	#################

	rm -f \
	root_2022_ca.pem \
	intermediate_2022_ca.csr \
	intermediate_2022_ca.pem \
	intermediate_2023_ca.csr \
	intermediate_2023_ca.pem \
	cert1.pem \
	cert2.pem