Last active
July 19, 2023 15:52
-
-
Save chrishoffman/acc60cf577e1e79f56beb63747466d3c to your computer and use it in GitHub Desktop.
Vault Multi-Level CA Setup
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| vault mount pki | |
| vault mount -path=pki1 pki | |
| vault mount -path=pki2 pki | |
| vault mount -path=pki3 pki | |
| vault mount-tune -max-lease-ttl=87600h pki | |
| vault mount-tune -max-lease-ttl=87600h pki1 | |
| vault mount-tune -max-lease-ttl=87600h pki2 | |
| vault mount-tune -max-lease-ttl=87600h pki3 | |
| vault write pki/root/generate/internal common_name="Vault Testing Root Authority" ttl=87600h | |
| # Intermediate Authority | |
| vault write -format=json -field=csr pki1/intermediate/generate/internal common_name="Vault Testing Intermediate Authority" > pki1.csr | |
| vault write -format=json -field=certificate pki/root/sign-intermediate csr=@pki1.csr ttl=87500h format=pem_bundle > pki1.signed | |
| vault write pki1/intermediate/set-signed certificate=@pki1.signed | |
| # Intermediate Sub Authority | |
| vault write -format=json -field=csr pki2/intermediate/generate/internal common_name="Vault Testing Intermediate Sub Authority" > pki2.csr | |
| vault write -format=json -field=certificate pki1/root/sign-intermediate csr=@pki2.csr ttl=87400h format=pem_bundle > pki2.signed | |
| vault write pki2/intermediate/set-signed certificate=@pki2.signed | |
| # Intermediate Sub Sub Authority | |
| vault write -format=json -field=csr pki3/intermediate/generate/internal common_name="Vault Testing Intermediate Sub Sub Authority" > pki3.csr | |
| vault write -format=json -field=certificate pki2/root/sign-intermediate csr=@pki3.csr ttl=87300h format=pem_bundle > pki3.signed | |
| vault write pki3/intermediate/set-signed certificate=@pki3.signed | |
| # Roles | |
| vault write pki/roles/test allow_any_name=true enforce_hostnames=false max_ttl=1h | |
| vault write pki1/roles/test allow_any_name=true enforce_hostnames=false max_ttl=1h | |
| vault write pki2/roles/test allow_any_name=true enforce_hostnames=false max_ttl=1h | |
| vault write pki3/roles/test allow_any_name=true enforce_hostnames=false max_ttl=1h | |
| vault write pki1/roles/test_ec key_type=ec key_bits=256 allow_any_name=true enforce_hostnames=false max_ttl=1h | |
| vault write pki2/roles/test_ec key_type=ec key_bits=256 allow_any_name=true enforce_hostnames=false max_ttl=1h | |
| vault write pki3/roles/test_ec key_type=ec key_bits=256 allow_any_name=true enforce_hostnames=false max_ttl=1h |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment