Skip to content

Instantly share code, notes, and snippets.

@fvoges

fvoges/README.md

Created February 22, 2023 14:33
Show Gist options
  • Save fvoges/7309e7d8b55e6b651f4af65b8ac819d6 to your computer and use it in GitHub Desktop.
Save fvoges/7309e7d8b55e6b651f4af65b8ac819d6 to your computer and use it in GitHub Desktop.
Download ZIP
Simple CA for Vault
Raw
README.md

Example: Provision certs with OpenSSL

If you need to generate a CA and signed certificate and private key to test with, the following steps can be followed:

# Generate the CA private key
$ openssl genrsa -out ca-key.pem 4096

# Create a configuration file for the CA certificate
$ cat <<EOF > ca_cert_config.txt
[req]
distinguished_name = req_distinguished_name
x509_extensions    = v3_ca
prompt             = no

[req_distinguished_name]
countryName             = CA
stateOrProvinceName     = Ontario
localityName            = Toronto
organizationName        = HashiCorp
commonName              = HashiCorp

[v3_ca]
basicConstraints        = critical,CA:TRUE
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always,issuer
EOF

# Generate a CA valid for 10 years
$ openssl req -new -x509 -days 3650 \
-config ca_cert_config.txt \
-key ca-key.pem \
-out ca.pem

# Generate a private key for the client certificate
$ openssl genrsa -out cert-key.pem 4096

# Create a configuration file for the client certificate
$ cat <<EOF > server_cert_config.txt
default_bit        = 4096
distinguished_name = req_distinguished_name
prompt             = no

[req_distinguished_name]
countryName             = CA
stateOrProvinceName     = Ontario
localityName            = Toronto
organizationName        = HashiCorp
commonName              = vault.hashicorp.com
EOF

# Create an extension and SAN file for the client certificate
# Add any additional SANs necessary for the Vault nodes
$ cat <<EOF > server_ext_config.txt
authorityKeyIdentifier = keyid,issuer
basicConstraints       = CA:FALSE
keyUsage               = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage       = serverAuth, clientAuth
subjectAltName         = @alt_names

[alt_names]
DNS.1 = vault-0.vault-internal
DNS.2 = vault-1.vault-internal
DNS.3 = vault-2.vault-internal
DNS.4 = vault-3.vault-internal
DNS.5 = vault-4.vault-internal
DNS.6 = vault.vault
DNS.7 = vault-active.vault
DNS.8 = vault-internal.vault
DNS.9 = vault.hashicorp.com
EOF

# Generate the Certificate Signing Request
$ openssl req -new -key cert-key.pem -out cert-csr.pem -config server_cert_config.txt

# Generate the signed certificate valid for 1 year
$ openssl x509 -req -in cert-csr.pem -out cert.pem \
-CA ca.pem -CAkey ca-key.pem -CAcreateserial \
-days 365 -sha512 -extfile server_ext_config.txt
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment