RafPe/vault_init_ca.sh

## vault_init_ca.sh
#!/bin/bash -e

# Pre-requiresites:
# > Vault server
# > exported VAULT_ADDR and VAULT_TOKEN
# > vault cli
# > httpie (https://github.com/jkbrzt/httpie)
# > jq (https://stedolan.github.io/jq/)

# CA
vault mount -path=rafpe_ca -description="rafpe Root CA" -max-lease-ttl=175200h pki
http POST "$VAULT_ADDR/v1/rafpe_ca/root/generate/exported" X-Vault-Token:$VAULT_TOKEN common_name="RafPe Root CA" ttl="175200h" > root_ca.json
cat root_ca.json | jq -r .data.certificate > root_ca.pem
cat root_ca.json | jq -r .data.private_key > root_ca.key

# Mount intermediate
vault mount -path=rafpe_intermediate -description="rafpe intermediate CA" -max-lease-ttl=8760h pki

# Configure URLs
vault write rafpe_intermediate/config/urls crl_distribution_points="https://vault.rafpe.ninja/v1/rafpe_intermediate/crl"
vault write rafpe_intermediate/config/urls issuing_certificates="https://vault.rafpe.ninja/v1/rafpe_intermediate"

# Generate CSRs for intermediate
http POST "$VAULT_ADDR/v1/rafpe_intermediate/intermediate/generate/exported" X-Vault-Token:$VAULT_TOKEN common_name='rafpe intermediate CA' ttl="8760h" exclude_cn_from_sans="true" > intermediate.json
cat intermediate.json | jq -r .data.csr > intermediate.csr
cat intermediate.json | jq -r .data.private_key > intermediate.key

# Sign intermediate
http POST "$VAULT_ADDR/v1/rafpe_ca/root/sign-intermediate" X-Vault-Token:$VAULT_TOKEN common_name='rafpe intermediate CA' ttl="8760h" csr=@intermediate.csr > signed_intermediate.json
cat signed_intermediate.json| jq -r .data.certificate > intermediate.cert

# Set signed cert for intermediate
vault write rafpe_intermediate/intermediate/set-signed certificate=@intermediate.cert
	#!/bin/bash -e

	# Pre-requiresites:
	# > Vault server
	# > exported VAULT_ADDR and VAULT_TOKEN
	# > vault cli
	# > httpie (https://github.com/jkbrzt/httpie)
	# > jq (https://stedolan.github.io/jq/)

	# CA
	vault mount -path=rafpe_ca -description="rafpe Root CA" -max-lease-ttl=175200h pki
	http POST "$VAULT_ADDR/v1/rafpe_ca/root/generate/exported" X-Vault-Token:$VAULT_TOKEN common_name="RafPe Root CA" ttl="175200h" > root_ca.json
	cat root_ca.json \| jq -r .data.certificate > root_ca.pem
	cat root_ca.json \| jq -r .data.private_key > root_ca.key

	# Mount intermediate
	vault mount -path=rafpe_intermediate -description="rafpe intermediate CA" -max-lease-ttl=8760h pki

	# Configure URLs
	vault write rafpe_intermediate/config/urls crl_distribution_points="https://vault.rafpe.ninja/v1/rafpe_intermediate/crl"
	vault write rafpe_intermediate/config/urls issuing_certificates="https://vault.rafpe.ninja/v1/rafpe_intermediate"

	# Generate CSRs for intermediate
	http POST "$VAULT_ADDR/v1/rafpe_intermediate/intermediate/generate/exported" X-Vault-Token:$VAULT_TOKEN common_name='rafpe intermediate CA' ttl="8760h" exclude_cn_from_sans="true" > intermediate.json
	cat intermediate.json \| jq -r .data.csr > intermediate.csr
	cat intermediate.json \| jq -r .data.private_key > intermediate.key

	# Sign intermediate
	http POST "$VAULT_ADDR/v1/rafpe_ca/root/sign-intermediate" X-Vault-Token:$VAULT_TOKEN common_name='rafpe intermediate CA' ttl="8760h" csr=@intermediate.csr > signed_intermediate.json
	cat signed_intermediate.json\| jq -r .data.certificate > intermediate.cert

	# Set signed cert for intermediate
	vault write rafpe_intermediate/intermediate/set-signed certificate=@intermediate.cert