Certificate Authority (CA) Server | Host Server(s) | Client(s) |
---|---|---|
Host Server Certificate Configuration | ||
This is the server typically managed by a security team. The root CA private keys are held on this server and should be protected. If these keys are compromised it will be necessary to Revoke & Rotate/Recreate ALL Certificates!! | These are the servers that are being built or reprovisioned. The Host CA Signed Certificate is used to prove Host Authenticity to clients. It is sent to the ssh client during the initial handshake when a ssh client attempts to login. | The user laptop or server that's runing the ssh client. The Client CA Signed Certificate is used to prove Client Authenticity to the Host Server |
Step 1. Create HOST CA signing keys : Example ssh-keygen -t rsa -N '' -C HOST-CA -b 4096 -f host-ca |
Step 2. Let's generate a fresh set of ssh RSA HOST keys with 4096 bits. Typically the keys are generated by default |
Built base environment using HashiCorp's Learn Website
ubuntu@ip-192-168-100-194:~$ export VAULT_ADDR=http://127.0.0.1:8200
ubuntu@ip-192-168-100-194:~$ vault status
Update - resolved here -> hashicorp/consul#7024
The goal of this test was to be able to demonstrate a productionised
version of a Consul Connect Envoy Service.
All online examples today rely on Docker and no TLS - many customers still don't allow Docker in production (I know, unbelieveable!). So I was attempting to running the Envoy proxy directly on Ubuntu without Docker.
#HASHICORP VAULT TRANSIT KEYS with ENCRYPTION and DECRYPTION example
Policy to create, update a transit key and encrypt/decrypt data
name: shared_transit_create
``` hcl
path "shared/transit/*" {
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
set -x | |
update_key_in_json_file () { | |
cat ${1} | |
mv ${1} temp.json | |
jq -r "${2} |= ${3}" temp.json > ${1} | |
rm temp.json | |
cat ${1} |
I quite often hit the following issue when building new servers and then trying to download repositiories from github.com
graham@leader01:~ $ git clone git@github.com:allthingsclowd/web_page_counter.git
Cloning into 'web_page_counter'...
Permission denied (publickey).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
leader01: + echo 'Creating factory user to run the factory service'
leader01: Creating factory user to run the factory service
leader01: + sudo useradd --system --home /etc/factory.d --shell /bin/false factory
leader01: + sudo mkdir --parents /opt/factory /usr/local/factory /etc/factory.d
leader01: + sudo chown --recursive factory:factory /opt/factory /etc/factory.d /usr/local/factory
leader01: + sudo tee /etc/systemd/system/factory.service
leader01: ### BEGIN INIT INFO
leader01: # Provides: factory
leader01: # Required-Start:
I hereby claim:
- I am allthingsclowd on github.
- I am grahamhashicorp (https://keybase.io/grahamhashicorp) on keybase.
- I have a public key ASCBYpD94kHTzJeVQTLZcB8uP9xRsWgWpHylZtj7JEf7LAo
To claim this, I am signing this object:
vault_approle_demo $ git clone git@github.com:allthingsclowd/vault_approle.git .
Cloning into '.'...
remote: Counting objects: 56, done.
remote: Compressing objects: 100% (42/42), done.
remote: Total 56 (delta 13), reused 52 (delta 12), pack-reused 0
Receiving objects: 100% (56/56), 11.34 KiB | 829.00 KiB/s, done.
Resolving deltas: 100% (13/13), done.
vault_approle_demo $ vagrant up
Bringing machine 'vault01' up with 'virtualbox' provider...
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
heat_template_version: 2013-05-23 | |
# Author: Graham Land | |
# Date: 16/06/2017 | |
# Purpose: Deploy MongoDB on Ubuntu 14.04 on Fujitsu's Cloud Service K5 IaaS Platform | |
# NOTE: Includes hardcoded user accounts and passwords - please change these | |
# and add TLS if considering use cases other than test/dev. | |
# | |
# Twitter: @allthingsclowd | |
# Blog: https://allthingscloud.eu | |
# |
NewerOlder