bhouse/vault_intermediate_ca_setup.sh

## vault_intermediate_ca_setup.sh
#!/bin/bash -e

# Setup a Root CA in vault
# Generate and sign an Intermediate cert
#
# Requires:
# * A running vault server already initialzed and unsealed
# * Environment variable VAULT_TOKEN is set
# * vault cli (https://www.vaultproject.io)
# * httpie (https://github.com/jkbrzt/httpie)
# * jq (https://stedolan.github.io/jq/)
#
# Note: we use httpie + jq because vault write commands aren't able to return
# formatted json for parsing

# Mount a PKI backend for the root Certificate authority
echo "Creating root CA"
vault mount -path=root_ca pki
# Set the max TTL for the root CA to 10 years
echo "Tuning root CA"
vault mount-tune -max-lease-ttl="87600h" root_ca
# Generate the root CA keypair, the key is stored internally to vault
echo "Generating root CA cert"
vault write root_ca/root/generate/internal common_name="Acme Inc. Root CA" ttl="87600h"
# TODO: setup CRL and OCSP urls

# Mount the intermediate CA for the zone
echo "Creating intermediate CA"
vault mount -path=intermediate_acme_com pki
# Set the max TTL for acme.com certs to 1 year
echo "Tuning intermediate CA"
vault mount-tune -max-lease-ttl=8760h intermediate_acme_com
# Generate CSR for acme.com to be signed by the root CA, the key is stored
# internally to vault
echo "Generating intermediate CSR"
http POST http://127.0.0.1:8200/v1/intermediate_acme_com/intermediate/generate/internal X-Vault-Token:$VAULT_TOKEN common_name=acme.com | jq -r .data.csr > acme_com.csr

# Generate and sign the acme.com certificate as an intermediate CA
echo "Get intermediate cert"
http POST http://127.0.0.1:8200/v1/root_ca/root/sign-intermediate X-Vault-Token:$VAULT_TOKEN ttl="8760h" csr=@acme_com.csr | jq -r .data.certificate > acme_com.crt
# Add signed acme.com certificate to intermediate CA backend
echo "Add intermediate cert"
vault write intermediate_acme_com/intermediate/set-signed certificate=@acme_com.crt

# Create role for issuing acme.com certificates
# Max least time is 14 days
echo "Create a role for subdomain certs"
vault write intermediate_acme_com/roles/acme_com allowed_domains="acme.com" lease_max="336h" allow_subdomains=true

# Issue a cert for an acme.com subdomain valid for 1 week
echo "Issue a subdomain cert"
http POST http://127.0.0.1:8200/v1/intermediate_acme_com/issue/acme_com X-Vault-Token:$VAULT_TOKEN common_name="foo.acme.com" ttl="168h" | jq -r .data.private_key,.data.certificate,.data.issuing_ca > foo_acme_com.crt

echo "Intermediate CA cert:"
openssl x509 -in acme_com.crt -noout -subject -issuer

echo "Subdomain Cert:"
openssl x509 -in foo_acme_com.crt -noout -subject -issuer
	#!/bin/bash -e

	# Setup a Root CA in vault
	# Generate and sign an Intermediate cert
	#
	# Requires:
	# * A running vault server already initialzed and unsealed
	# * Environment variable VAULT_TOKEN is set
	# * vault cli (https://www.vaultproject.io)
	# * httpie (https://github.com/jkbrzt/httpie)
	# * jq (https://stedolan.github.io/jq/)
	#
	# Note: we use httpie + jq because vault write commands aren't able to return
	# formatted json for parsing

	# Mount a PKI backend for the root Certificate authority
	echo "Creating root CA"
	vault mount -path=root_ca pki
	# Set the max TTL for the root CA to 10 years
	echo "Tuning root CA"
	vault mount-tune -max-lease-ttl="87600h" root_ca
	# Generate the root CA keypair, the key is stored internally to vault
	echo "Generating root CA cert"
	vault write root_ca/root/generate/internal common_name="Acme Inc. Root CA" ttl="87600h"
	# TODO: setup CRL and OCSP urls

	# Mount the intermediate CA for the zone
	echo "Creating intermediate CA"
	vault mount -path=intermediate_acme_com pki
	# Set the max TTL for acme.com certs to 1 year
	echo "Tuning intermediate CA"
	vault mount-tune -max-lease-ttl=8760h intermediate_acme_com
	# Generate CSR for acme.com to be signed by the root CA, the key is stored
	# internally to vault
	echo "Generating intermediate CSR"
	http POST http://127.0.0.1:8200/v1/intermediate_acme_com/intermediate/generate/internal X-Vault-Token:$VAULT_TOKEN common_name=acme.com \| jq -r .data.csr > acme_com.csr

	# Generate and sign the acme.com certificate as an intermediate CA
	echo "Get intermediate cert"
	http POST http://127.0.0.1:8200/v1/root_ca/root/sign-intermediate X-Vault-Token:$VAULT_TOKEN ttl="8760h" csr=@acme_com.csr \| jq -r .data.certificate > acme_com.crt
	# Add signed acme.com certificate to intermediate CA backend
	echo "Add intermediate cert"
	vault write intermediate_acme_com/intermediate/set-signed certificate=@acme_com.crt

	# Create role for issuing acme.com certificates
	# Max least time is 14 days
	echo "Create a role for subdomain certs"
	vault write intermediate_acme_com/roles/acme_com allowed_domains="acme.com" lease_max="336h" allow_subdomains=true

	# Issue a cert for an acme.com subdomain valid for 1 week
	echo "Issue a subdomain cert"
	http POST http://127.0.0.1:8200/v1/intermediate_acme_com/issue/acme_com X-Vault-Token:$VAULT_TOKEN common_name="foo.acme.com" ttl="168h" \| jq -r .data.private_key,.data.certificate,.data.issuing_ca > foo_acme_com.crt

	echo "Intermediate CA cert:"
	openssl x509 -in acme_com.crt -noout -subject -issuer

	echo "Subdomain Cert:"
	openssl x509 -in foo_acme_com.crt -noout -subject -issuer