Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
PKI test script
#!/bin/bash
vault mount -path=rootpki pki
vault mount-tune -max-lease-ttl="175200h" rootpki
vault write rootpki/root/generate/exported common_name=example.com ttl="175200h"
vault write rootpki/root/generate/internal common_name=example.com ttl="175200h"
vault write rootpki/intermediate/generate/exported common_name=example.com ttl="175200h"
vault write rootpki/intermediate/generate/internal common_name=example.com ttl="175200h"
vault mount -path=intermediatepki pki
vault mount-tune -max-lease-ttl="8760h" intermediatepki
http POST http://127.0.0.1:8200/v1/rootpki/root/generate/exported X-Vault-Token:$(cat ~/.vault-token) common_name=root.com ttl="175200h" | jq -r .data.certificate > currroot.pem
openssl x509 -in currroot.pem -noout -text
http POST http://127.0.0.1:8200/v1/intermediatepki/intermediate/generate/exported X-Vault-Token:$(cat ~/.vault-token) common_name=intermediate.com alt_names="foo,bar,car" ip_sans="127.0.0.1" | jq -r .data.csr > currcsr.pem
openssl req -in currcsr.pem -noout -text
http POST http://127.0.0.1:8200/v1/rootpki/root/sign-intermediate X-Vault-Token:$(cat ~/.vault-token) common_name=intermediate.com ttl="8760h" csr=@currcsr.pem | jq -r .data.certificate > currcert.pem
openssl x509 -in currcert.pem -noout -text
vault write intermediatepki/intermediate/set-signed certificate=@currcert.pem
vault write intermediatepki/roles/example-dot-com allowed_domains="example.com" lease_max="336h" lease="336h" key_type="ec" key_bits="224" allow_subdomains=true
openssl genrsa -out req.key 2048
openssl req -new -batch -sha256 -key req.key -out req.csr
vault write intermediatepki/sign/example-dot-com common_name="localhost" alt_names="foo.example.com,bar.example.com" ip_sans="128.3.5.6,fe01::1" csr=@req.csr
http POST http://127.0.0.1:8200/v1/intermediatepki/sign/example-dot-com X-Vault-Token:$(cat ~/.vault-token) common_name="localhost" alt_names="foo.example.com,bar.example.com" ip_sans="128.3.5.6,fe01::1" csr=@req.csr | jq -r .data.certificate > req.cert
openssl x509 -in req.cert -noout -text
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment