Toady00/commands.sh

## commands.sh
vault mount \
  --path levvel \
  --description "Example CA for vault demo" \
  pki

vault mount-tune \
  --max-lease-ttl 87600h \
  levvel

vault write \
  levvel/root/generate/internal \
  common_name="Levvel Vault Blog Root CA" \
  ttl=87600h \
  key_bits=4096 \
  exclude_cn_from_sans=true

vault write \
  levvel/config/urls \
  issuing_certificates=http://vault.demo.levvel:8200/v1/levvel


vault mount \
  --path levvel_ops \
  --description "Intermediate VA for vault demo" \
  pki

vault mount-tune \
  --max-lease-ttl 87600h \
  levvel_ops

vault write \
  levvel_ops/intermediate/generate/internal \
  common_name="Levvel Vault Blog Intermediate CA" \
  ttl=87600h \
  key_bits=4096 \
  exclude_cn_from_sans=true

#Copy the certificate that's returned into a file named int.csr in the current directory.
#The file should start with `-----BEGIN CERTIFICATE REQUEST-----` and end with
#`-----END CERTIFICATE REQUEST-----`

vault write \
  levvel/root/sign-intermediate \
  csr=@int.csr \
  common_name="Levvel Vault Blog Intermediate CA" \
  ttl=26280h

#There should be two certs returned this time. One is `certificate` the other is
#the `issuing_ca` certificate. You want the `certificate`. Copy this certificate
#into a file. This time name the file int.crt. Place it in the current directory
#again.

vault write \
  levvel_ops/intermediate/set-signed \
  certificate=@int.crt

vault write \
  levvel_ops/config/urls \
  issuing_certificates="http://vault.demo.levvel:8200/va/levvel_ops/ca" \
  crl_distribution_points="http://vault.demo.levvel:8200/v1/levvel_ops/crl"

vault write \
  levvel_ops/roles/consul \
  key_bits=2048 \
  max_ttl=8760h \
  allowed_domains=server.vpc-cae5acac.consul \
  allow_bare_domains=true

vault write \
  levvel_ops/issue/consul \
  common_name="server.vpc-cae5acac.consul" \
  ttl=720h \
  format=pem

## consul_cert.ctmpl
{{ with secret "levvel_ops/issue/consul" "common_name=server.vpc-cae5aca.consul" }}
{{ .Data.serial_number }}
{{ .Data.certificate | plugin "write_cert_plugin" "/etc/consul.d/ssl/server.vpc-cae5aca.consul.crt" "consul" }}
{{ .Data.private_key | plugin "write_cert" "/etc/consul.d/ssl/server.vpc-cae5aca.consul.key" "consul" }}
{{ .Data.issuing_ca | plugin "write_cert" "/etc/consul.d/ssl/ca.crt" "consul" }}
{{ end }}

## consul_config.json
{
  "datacenter": "vpc-cae5acac",
  "data_dir": "/var/lib/consul",
  "log_level": "INFO",
  "node_name": "consul1",
  "server": true,
  "ui": true,
  "encrypt": "K9ppVslll6vxUIBSvtg0Zw==",
  "ca_file": "/etc/consul.d/ssl/ca.crt",
  "cert_file": "/etc/consul.d/ssl/server.vpc-cae5aca.consul.crt",
  "key_file": "/etc/consul.d/ssl/server.vpc-cae5aca.consul.key",
  "verify_incoming": true,
  "verify_outgoing": true,
  "verify_server_hostname": true
}

## consul_template.hcl
vault {
  address = "http://vault.demo.levvel:8200"
  token = "b71a0d28-47e5-4cea-fb5c-d1dee418602f"
  renew_token = false
}

template {
  source = "/etc/consul-template.d/consul_cert.ctmpl"
  destination = "/etc/consul.d/ssl/server.vpc-cae5acac.consul.serial"
}

## write_cert_plugin.sh
#!/usr/bin/env bash

set -ex

file=$1
owner=$2
data=$3

echo $data > $file
chmod 0600 $file
chown $owner:$owner $file

exit
	vault mount \
	--path levvel \
	--description "Example CA for vault demo" \
	pki

	vault mount-tune \
	--max-lease-ttl 87600h \
	levvel

	vault write \
	levvel/root/generate/internal \
	common_name="Levvel Vault Blog Root CA" \
	ttl=87600h \
	key_bits=4096 \
	exclude_cn_from_sans=true

	vault write \
	levvel/config/urls \
	issuing_certificates=http://vault.demo.levvel:8200/v1/levvel


	vault mount \
	--path levvel_ops \
	--description "Intermediate VA for vault demo" \
	pki

	vault mount-tune \
	--max-lease-ttl 87600h \
	levvel_ops

	vault write \
	levvel_ops/intermediate/generate/internal \
	common_name="Levvel Vault Blog Intermediate CA" \
	ttl=87600h \
	key_bits=4096 \
	exclude_cn_from_sans=true

	#Copy the certificate that's returned into a file named int.csr in the current directory.
	#The file should start with `-----BEGIN CERTIFICATE REQUEST-----` and end with
	#`-----END CERTIFICATE REQUEST-----`

	vault write \
	levvel/root/sign-intermediate \
	csr=@int.csr \
	common_name="Levvel Vault Blog Intermediate CA" \
	ttl=26280h

	#There should be two certs returned this time. One is `certificate` the other is
	#the `issuing_ca` certificate. You want the `certificate`. Copy this certificate
	#into a file. This time name the file int.crt. Place it in the current directory
	#again.

	vault write \
	levvel_ops/intermediate/set-signed \
	certificate=@int.crt

	vault write \
	levvel_ops/config/urls \
	issuing_certificates="http://vault.demo.levvel:8200/va/levvel_ops/ca" \
	crl_distribution_points="http://vault.demo.levvel:8200/v1/levvel_ops/crl"

	vault write \
	levvel_ops/roles/consul \
	key_bits=2048 \
	max_ttl=8760h \
	allowed_domains=server.vpc-cae5acac.consul \
	allow_bare_domains=true

	vault write \
	levvel_ops/issue/consul \
	common_name="server.vpc-cae5acac.consul" \
	ttl=720h \
	format=pem
	{{ with secret "levvel_ops/issue/consul" "common_name=server.vpc-cae5aca.consul" }}
	{{ .Data.serial_number }}
	{{ .Data.certificate \| plugin "write_cert_plugin" "/etc/consul.d/ssl/server.vpc-cae5aca.consul.crt" "consul" }}
	{{ .Data.private_key \| plugin "write_cert" "/etc/consul.d/ssl/server.vpc-cae5aca.consul.key" "consul" }}
	{{ .Data.issuing_ca \| plugin "write_cert" "/etc/consul.d/ssl/ca.crt" "consul" }}
	{{ end }}
	{
	"datacenter": "vpc-cae5acac",
	"data_dir": "/var/lib/consul",
	"log_level": "INFO",
	"node_name": "consul1",
	"server": true,
	"ui": true,
	"encrypt": "K9ppVslll6vxUIBSvtg0Zw==",
	"ca_file": "/etc/consul.d/ssl/ca.crt",
	"cert_file": "/etc/consul.d/ssl/server.vpc-cae5aca.consul.crt",
	"key_file": "/etc/consul.d/ssl/server.vpc-cae5aca.consul.key",
	"verify_incoming": true,
	"verify_outgoing": true,
	"verify_server_hostname": true
	}
	vault {
	address = "http://vault.demo.levvel:8200"
	token = "b71a0d28-47e5-4cea-fb5c-d1dee418602f"
	renew_token = false
	}

	template {
	source = "/etc/consul-template.d/consul_cert.ctmpl"
	destination = "/etc/consul.d/ssl/server.vpc-cae5acac.consul.serial"
	}
	#!/usr/bin/env bash

	set -ex

	file=$1
	owner=$2
	data=$3

	echo $data > $file
	chmod 0600 $file
	chown $owner:$owner $file

	exit