Forked from bhouse/vault_intermediate_ca_setup.sh
Last active
October 21, 2016 20:06
-
-
Save glehmann/4dea65cb1975ff1a5f3073f212668422 to your computer and use it in GitHub Desktop.
Setting Up Hashicorp Vault with an intermediate CA based on https://gist.github.com/jefferai/092d2cd728ff66089f17
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash -e | |
| # Setup a Root CA in vault | |
| # Generate and sign an Intermediate cert | |
| # | |
| # Requires: | |
| # * vault cli (https://www.vaultproject.io) | |
| # * jq (https://stedolan.github.io/jq/) | |
| # * A running vault server already initialzed and unsealed | |
| # * vault cli must be already authenticated (try "vault server -dev") | |
| # Mount a PKI backend for the root Certificate authority | |
| echo "Creating root CA" | |
| vault mount -path=root_ca pki | |
| # Set the max TTL for the root CA to 10 years | |
| echo "Tuning root CA" | |
| vault mount-tune -max-lease-ttl="87600h" root_ca | |
| # Generate the root CA keypair, the key is stored internally to vault | |
| echo "Generating root CA cert" | |
| vault write root_ca/root/generate/internal common_name="Acme Inc. Root CA" ttl="87600h" | |
| # TODO: setup CRL and OCSP urls | |
| # Mount the intermediate CA for the zone | |
| echo "Creating intermediate CA" | |
| vault mount -path=intermediate_acme_com pki | |
| # Set the max TTL for acme.com certs to 1 year | |
| echo "Tuning intermediate CA" | |
| vault mount-tune -max-lease-ttl=8760h intermediate_acme_com | |
| # Generate CSR for acme.com to be signed by the root CA, the key is stored | |
| # internally to vault | |
| echo "Generating intermediate CSR" | |
| vault write -format=json intermediate_acme_com/intermediate/generate/internal common_name=acme.com | jq -r .data.csr > acme_com.csr | |
| # Generate and sign the acme.com certificate as an intermediate CA | |
| echo "Get intermediate cert" | |
| vault write -format=json root_ca/root/sign-intermediate ttl="8760h" csr=@acme_com.csr | jq -r .data.certificate > acme_com.crt | |
| # Add signed acme.com certificate to intermediate CA backend | |
| echo "Add intermediate cert" | |
| vault write intermediate_acme_com/intermediate/set-signed certificate=@acme_com.crt | |
| # Create role for issuing acme.com certificates | |
| # Max least time is 14 days | |
| echo "Create a role for subdomain certs" | |
| vault write intermediate_acme_com/roles/acme_com allowed_domains="acme.com" lease_max="336h" allow_subdomains=true | |
| # Issue a cert for an acme.com subdomain valid for 1 week | |
| echo "Issue a subdomain cert" | |
| vault write -format=json intermediate_acme_com/issue/acme_com common_name="foo.acme.com" ttl="168h" | jq -r .data.private_key,.data.certificate,.data.issuing_ca > foo_acme_com.crt | |
| echo "Intermediate CA cert:" | |
| openssl x509 -in acme_com.crt -noout -subject -issuer | |
| echo "Subdomain Cert:" | |
| openssl x509 -in foo_acme_com.crt -noout -subject -issuer |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment