Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
PKI test script
vault mount -path=rootpki pki
vault mount-tune -max-lease-ttl="175200h" rootpki
vault write rootpki/root/generate/exported ttl="175200h"
vault write rootpki/root/generate/internal ttl="175200h"
vault write rootpki/intermediate/generate/exported ttl="175200h"
vault write rootpki/intermediate/generate/internal ttl="175200h"
vault mount -path=intermediatepki pki
vault mount-tune -max-lease-ttl="8760h" intermediatepki
http POST X-Vault-Token:$(cat ~/.vault-token) ttl="175200h" | jq -r .data.certificate > currroot.pem
openssl x509 -in currroot.pem -noout -text
http POST X-Vault-Token:$(cat ~/.vault-token) alt_names="foo,bar,car" ip_sans="" | jq -r .data.csr > currcsr.pem
openssl req -in currcsr.pem -noout -text
http POST X-Vault-Token:$(cat ~/.vault-token) ttl="8760h" csr=@currcsr.pem | jq -r .data.certificate > currcert.pem
openssl x509 -in currcert.pem -noout -text
vault write intermediatepki/intermediate/set-signed certificate=@currcert.pem
vault write intermediatepki/roles/example-dot-com allowed_domains="" lease_max="336h" lease="336h" key_type="ec" key_bits="224" allow_subdomains=true
openssl genrsa -out req.key 2048
openssl req -new -batch -sha256 -key req.key -out req.csr
vault write intermediatepki/sign/example-dot-com common_name="localhost" alt_names="," ip_sans=",fe01::1" csr=@req.csr
http POST X-Vault-Token:$(cat ~/.vault-token) common_name="localhost" alt_names="," ip_sans=",fe01::1" csr=@req.csr | jq -r .data.certificate > req.cert
openssl x509 -in req.cert -noout -text
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment