Example of new PKI capabilities

gistfile1.txt

#!/bin/bash

vault mount -path=rootpki pki
vault mount-tune -max-lease-ttl="175200h" rootpki
vault mount -path=intermediatepki pki
vault mount-tune -max-lease-ttl="17520h" intermediatepki
http POST http://127.0.0.1:8200/v1/rootpki/config/ca/generate/root/exported X-Vault-Token:$(cat ~/.vault-token) pki_address="http://vault.example.com/v1/rootpki" common_name=root.com ttl="175200h" | jq -r .data.certificate > currroot.pem
openssl x509 -in currroot.pem -noout -text
http POST http://127.0.0.1:8200/v1/intermediatepki/config/ca/generate/intermediate/exported X-Vault-Token:$(cat ~/.vault-token) pki_address="http://vault.example.com/v1/rootpki" | jq -r .data.csr > currcsr.pem
http POST http://127.0.0.1:8200/v1/rootpki/config/ca/sign X-Vault-Token:$(cat ~/.vault-token) pki_address="http://vault.example.com/v1/intermediatepki" common_name=intermediate.com ttl="17519h" csr=@currcsr.pem | jq -r .data.certificate > currcert.pem
openssl x509 -in currcert.pem -noout -text
vault write intermediatepki/config/ca/set pem_bundle=@currcert.pem
vault write intermediatepki/roles/example-dot-com allowed_base_domain="example.com" lease_max="336h" lease="336h" key_type="ec" key_bits="224"
openssl genrsa -out req.key 2048
openssl req -new -batch -sha256 -key req.key -out req.csr
vault write intermediatepki/sign/example-dot-com common_name="localhost" alt_names="foo.example.com,bar.example.com" ip_sans="128.3.5.6,fe01::1"
http POST http://127.0.0.1:8200/v1/intermediatepki/sign/example-dot-com X-Vault-Token:$(cat ~/.vault-token) common_name="localhost" alt_names="foo.example.com,bar.example.com" ip_sans="128.3.5.6,fe01::1" | jq -r .data.certificate > req.cert
openssl x509 -in req.cert -noout -text