Created
January 20, 2016 00:47
-
-
Save jefferai/092d2cd728ff66089f17 to your computer and use it in GitHub Desktop.
PKI test script
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| vault mount -path=rootpki pki | |
| vault mount-tune -max-lease-ttl="175200h" rootpki | |
| vault write rootpki/root/generate/exported common_name=example.com ttl="175200h" | |
| vault write rootpki/root/generate/internal common_name=example.com ttl="175200h" | |
| vault write rootpki/intermediate/generate/exported common_name=example.com ttl="175200h" | |
| vault write rootpki/intermediate/generate/internal common_name=example.com ttl="175200h" | |
| vault mount -path=intermediatepki pki | |
| vault mount-tune -max-lease-ttl="8760h" intermediatepki | |
| http POST http://127.0.0.1:8200/v1/rootpki/root/generate/exported X-Vault-Token:$(cat ~/.vault-token) common_name=root.com ttl="175200h" | jq -r .data.certificate > currroot.pem | |
| openssl x509 -in currroot.pem -noout -text | |
| http POST http://127.0.0.1:8200/v1/intermediatepki/intermediate/generate/exported X-Vault-Token:$(cat ~/.vault-token) common_name=intermediate.com alt_names="foo,bar,car" ip_sans="127.0.0.1" | jq -r .data.csr > currcsr.pem | |
| openssl req -in currcsr.pem -noout -text | |
| http POST http://127.0.0.1:8200/v1/rootpki/root/sign-intermediate X-Vault-Token:$(cat ~/.vault-token) common_name=intermediate.com ttl="8760h" csr=@currcsr.pem | jq -r .data.certificate > currcert.pem | |
| openssl x509 -in currcert.pem -noout -text | |
| vault write intermediatepki/intermediate/set-signed certificate=@currcert.pem | |
| vault write intermediatepki/roles/example-dot-com allowed_domains="example.com" lease_max="336h" lease="336h" key_type="ec" key_bits="224" allow_subdomains=true | |
| openssl genrsa -out req.key 2048 | |
| openssl req -new -batch -sha256 -key req.key -out req.csr | |
| vault write intermediatepki/sign/example-dot-com common_name="localhost" alt_names="foo.example.com,bar.example.com" ip_sans="128.3.5.6,fe01::1" csr=@req.csr | |
| http POST http://127.0.0.1:8200/v1/intermediatepki/sign/example-dot-com X-Vault-Token:$(cat ~/.vault-token) common_name="localhost" alt_names="foo.example.com,bar.example.com" ip_sans="128.3.5.6,fe01::1" csr=@req.csr | jq -r .data.certificate > req.cert | |
| openssl x509 -in req.cert -noout -text |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment