Skip to content

Instantly share code, notes, and snippets.

@GuyBarros
Created December 16, 2022 15:25
Show Gist options
  • Save GuyBarros/7c187c027c4056c36e651dc13dff00c6 to your computer and use it in GitHub Desktop.
Save GuyBarros/7c187c027c4056c36e651dc13dff00c6 to your computer and use it in GitHub Desktop.
vault 1.11+ non disruptive pki rotation example script
#!/usr/bin/env zsh
###########
# Root CA #
###########
vault secrets enable pki
vault secrets tune -max-lease-ttl=87600h pki
vault write -field=certificate pki/root/generate/internal \
common_name="example.com" \
issuer_name="root-2022" \
ttl=87600h > root_2022_ca.pem
vault list pki/issuers
# vault write pki/roles/2022-servers allow_any_name=true
vault write pki/config/urls \
issuing_certificates="$VAULT_ADDR/v1/pki/ca" \
crl_distribution_points="$VAULT_ADDR/v1/pki/crl"
###################
# Intermediate CA #
###################
vault secrets enable -path=pki_int pki
vault secrets tune -max-lease-ttl=43800h pki_int
vault write -format=json pki_int/intermediate/generate/internal \
common_name="example.com Intermediate Authority" \
| jq -r '.data.csr' > intermediate_2022_ca.csr
vault write -format=json pki/root/sign-intermediate \
issuer_ref="root-2022" \
csr=@intermediate_2022_ca.csr \
format=pem_bundle ttl="43800h" \
| jq -r '.data.certificate' > intermediate_2022_ca.pem
vault write pki_int/issuer/$(vault write -format=json pki_int/intermediate/set-signed certificate=@intermediate_2022_ca.pem | jq -r '.data.mapping | keys[1]') issuer_name="intermediate-2022"
###########################
# Create Certificate Role #
###########################
vault write pki_int/roles/example-dot-com \
issuer_ref="$(vault read -field=default pki_int/config/issuers)" \
allowed_domains="example.com" \
allow_subdomains=true \
max_ttl="720h"
######################
# Issue Certificates #
######################
vault write -field=certificate pki_int/issue/example-dot-com common_name="test.example.com" ttl="24h" | tee cert1.pem
############################
# Intermediate CA Rotation #
############################
#For cross-signing Encryption keys and common_name need to remain the same.
vault write -format=json pki_int/intermediate/cross-sign \
common_name="example.com Intermediate Authority" \
| jq -r '.data.csr' > intermediate_2023_ca.csr
vault write -format=json pki/root/sign-intermediate \
issuer_ref="root-2022" \
csr=@intermediate_2023_ca.csr \
format=pem_bundle ttl="43800h" \
| jq -r '.data.certificate' > intermediate_2023_ca.pem
vault write pki_int/issuer/$(vault write -format=json pki_int/intermediate/set-signed certificate=@intermediate_2023_ca.pem | jq -r '.data.mapping | keys[1]') issuer_name="intermediate-2023"
vault write pki_int/config/issuers default="intermediate-2023"
######################
# Issue Certificates #
######################
vault write -field=certificate pki_int/issue/example-dot-com common_name="test.example.com" ttl="24h" | tee cert2.pem
######################
# Verify Certificate #
######################
openssl verify -CAfile root_2022_ca.pem -untrusted intermediate_2022_ca.pem cert1.pem
openssl verify -CAfile root_2022_ca.pem -untrusted intermediate_2023_ca.pem cert2.pem
openssl verify -CAfile root_2022_ca.pem -untrusted intermediate_2022_ca.pem cert2.pem
openssl verify -CAfile root_2022_ca.pem -untrusted intermediate_2023_ca.pem cert1.pem
######################
# Revoke Certificate #
######################
vault write pki_int/revoke serial_number="<serial_number>"
#############
# Parse CRL #
#############
vault read -field=certificate pki_int/cert/crl | openssl crl -text -noout
#################
# Tidy Up Files #
#################
rm -f \
root_2022_ca.pem \
intermediate_2022_ca.csr \
intermediate_2022_ca.pem \
intermediate_2023_ca.csr \
intermediate_2023_ca.pem \
cert1.pem \
cert2.pem
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment