Skip to content

Instantly share code, notes, and snippets.

@mikegreen
Created November 4, 2021 19:56
Show Gist options
  • Save mikegreen/968a0b9f6f00943b4864fce5285ecd55 to your computer and use it in GitHub Desktop.
Save mikegreen/968a0b9f6f00943b4864fce5285ecd55 to your computer and use it in GitHub Desktop.
Read Vault PKI config and tune
$ vault secrets list --detailed
Path Plugin Accessor Default TTL Max TTL Force No Cache Replication Seal Wrap External Entropy Access Options Description UUID
---- ------ -------- ----------- ------- -------------- ----------- --------- ----------------------- ------- ----------- ----
cubbyhole/ cubbyhole cubbyhole_fcbf5e6d n/a n/a false local false false map[] per-token private secret storage 11a09df9-8ef6-bf26-2cc1-d4c6424c4780
database/ database database_c7158e73 system system false replicated false false map[] n/a b5043a27-2dae-5725-0bb2-6d5507059c14
foo-ttl/ aws aws_543cd76b system system false replicated false false map[] n/a 0c98d12a-1829-8b54-cf33-bd7540afc6db
identity/ identity identity_05c3ab60 system system false replicated false false map[] identity store ef8f38b4-a755-fb10-1266-3ad434ecb7ea
kv/ kv kv_70ff18d1 system system false replicated false false map[] n/a 05cbc341-4f92-6ac5-2129-98047174338d
kv1234/ kv kv_d9818238 system system false replicated false false map[version:2] n/a 1eab9cc1-3ccd-f83a-df8d-ffdc39953034
pki-agent/ pki pki_4bdf3f62 system system false replicated false false map[] n/a df217689-bdef-a750-d216-2558d77080c1
pki-benchmarking/ pki pki_bc00ae63 system system false replicated false false map[default_lease_ttl_seconds:3600 max_lease_ttl_seconds:86400] Mount PKI at its own path as not to break anything existing 5c92c1d5-7377-e346-17e1-3ba11d73c4d1
$ vault list pki-benchmarking/roles
Keys
----
example_pki
$ vault read pki-benchmarking/roles/example_pki
Key Value
--- -----
allow_any_name false
allow_bare_domains false
allow_glob_domains false
allow_ip_sans true
allow_localhost true
allow_subdomains true
allow_token_displayname false
allowed_domains [example.com my.domain]
allowed_domains_template false
allowed_other_sans []
allowed_serial_numbers []
allowed_uri_sans []
basic_constraints_valid_for_non_ca false
client_flag true
code_signing_flag false
country []
email_protection_flag false
enforce_hostnames true
ext_key_usage []
ext_key_usage_oids []
generate_lease false
key_bits 4096
key_type rsa
key_usage [DigitalSignature KeyAgreement KeyEncipherment]
locality []
max_ttl 0s
no_store false
not_before_duration 0s
organization []
ou []
policy_identifiers []
postal_code []
province []
require_cn true
server_flag true
street_address []
ttl 3m
use_csr_common_name true
use_csr_sans true
$ vault read sys/mounts/pki-benchmarking/tune
Key Value
--- -----
audit_non_hmac_request_keys [common_name]
default_lease_ttl 8h
description Mount PKI at its own path as not to break anything existing
force_no_cache false
max_lease_ttl 24h
options map[default_lease_ttl_seconds:3600 max_lease_ttl_seconds:86400]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment