Created
March 8, 2019 14:55
-
-
Save reard3n/7a22befad003d57043fa2068333105a1 to your computer and use it in GitHub Desktop.
This gist is a quick-and-dirty bash script, designed for OS X Darwin, that will complete a working proof-of-concept TLS certificate auth against a HashiCorp vault binary
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# credit to @v6 (https://github.com/v6) for the gist this grew from | |
VAULTFQDN=vault.testdomain.local | |
USERNAME=davesusername | |
# Figure out what the latest version of vault is. This script only works on OS X right now, so don't worry about architecture. | |
VAULTLATESTDIR=`curl -s https://releases.hashicorp.com/vault/ | grep href | grep -v - | grep -v "\.\." | head -n1 | awk -F"\"" '{print $2}'` | |
VAULTLATESTBIN=`curl -s https://releases.hashicorp.com/vault/ | grep href | grep -v - | grep -v "\.\." | head -n1 | awk -F">" '{print $2}' | awk -F"<" '{print $1}'` | |
echo "Latest version directory is $VAULTLATESTDIR" | |
echo "Latest version binary is $VAULTLATESTBIN" | |
FULLURL="https://releases.hashicorp.com${VAULTLATESTDIR}${VAULTLATESTBIN}_darwin_amd64.zip" | |
echo "Fetching Vault from $FULLURL" | |
curl $FULLURL > ${VAULTLATESTBIN}_darwin_amd64.zip | |
unzip -o ${VAULTLATESTBIN}_darwin_amd64.zip | |
# dump the contents of the Certificate Authority config file into a conf | |
cat << EOF > caconf.certAuth.conf | |
[ req ] | |
# Options for the req tool (man req). | |
default_bits = 4096 | |
distinguished_name = req_distinguished_name | |
string_mask = utf8only | |
# SHA-1 is deprecated, please use SHA-2 or greater instead. | |
default_md = sha384 | |
# Extension to add when the -x509 option is used. | |
x509_extensions = v3_ca | |
[ req_distinguished_name ] | |
countryName = Country Name (2 letter code) | |
stateOrProvinceName = State or Province Name | |
localityName = Locality Name | |
0.organizationName = Organization Name | |
organizationalUnitName = Organizational Unit Name | |
commonName = Common Name | |
emailAddress = Email Address | |
# Optionally, specify some defaults. | |
countryName_default = US | |
stateOrProvinceName_default = CA | |
localityName_default = San Francisco | |
0.organizationName_default = HashiCorpTesting | |
organizationalUnitName_default = Testing | |
emailAddress_default = certtesting@hashicorptesting.com | |
[ v3_ca ] | |
subjectKeyIdentifier = hash | |
authorityKeyIdentifier = keyid:always,issuer | |
basicConstraints = critical, CA:true | |
keyUsage = critical, digitalSignature, cRLSign, keyCertSign | |
EOF | |
# make a CA cert key and then a csr, then sign the csr | |
openssl genrsa -out certAuth.key 2048 | |
openssl req -x509 -new -nodes -key certAuth.key -sha256 -days 2014 -out certAuth.pem -config caconf.certAuth.conf -extensions v3_ca -subj "/CN=DavesGenericCA" | |
# VAULT INSTANCE CERT - generate a key and CSR | |
openssl req -new -newkey rsa:2048 -nodes -keyout vault.key -out vault.csr -subj "/CN=$VAULTFQDN" | |
cat << EOF > caconf.vault.conf | |
authorityKeyIdentifier=keyid,issuer | |
basicConstraints=CA:FALSE | |
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment | |
subjectAltName = @alt_names | |
[alt_names] | |
DNS.1 = $VAULTFQDN | |
EOF | |
# sign the vault server CSR with the CA we created above | |
openssl x509 -req -in vault.csr -CA certAuth.pem -CAkey certAuth.key -CAcreateserial -out vault.crt -days 365 -sha256 -extfile caconf.vault.conf | |
# USER IDENTIFICATION CERT - generate a key and CSR | |
openssl req -new -newkey rsa:2048 -nodes -keyout user.key -out user.csr -subj "/CN=$USERNAME" | |
cat << EOF > caconf.user.conf | |
authorityKeyIdentifier=keyid,issuer | |
basicConstraints=CA:FALSE | |
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment | |
extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection | |
subjectAltName = @alt_names | |
[alt_names] | |
DNS.1 = $USERNAME | |
EOF | |
# sign the vault server CSR with the CA we created above | |
openssl x509 -req -in user.csr -CA certAuth.pem -CAkey certAuth.key -CAcreateserial -out user.crt -days 365 -sha256 -extfile caconf.user.conf | |
# convert the user cert to pfx so we can import it into the OS certificate store. we are not using this method in this demo script, but you could use this within a browser to test TLS auth | |
openssl pkcs12 -export -nodes -out user.pfx -inkey user.key -in user.crt -certfile user.crt -passout pass: | |
# import the CA cert into the OS's root store as trusted. | |
echo "" | |
echo "" | |
echo " ** THIS SCRIPT IS GOING TO REQUEST SUDO ACCESS NOW. PLEASE ENTER YOUR PASSWORD WHEN PROMPTED. ** " | |
echo "" | |
echo "" | |
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain certAuth.pem | |
# push the hostname of the vault server we're hosting into hosts file | |
sudo echo "127.0.0.1 vault.testdomain.local" >> /etc/hosts | |
# dev mode vault server listens on 8200 by default, so add a listener to a new port that we can set up with tls | |
cat << EOF > vault.hcl | |
listener "tcp" { | |
address = "0.0.0.0:8500" | |
tls_disable = false | |
tls_cert_file = "vault.crt" | |
tls_key_file = "vault.key" | |
tls_client_ca_file = "certAuth.pem" | |
tls_require_and_verify_client_cert = false | |
} | |
EOF | |
# start vault in dev mode with the config above | |
nohup ./vault server -dev -config=vault.hcl > vault_verbose.log & | |
# set up the vault CLI | |
export VAULT_ADDR="https://vault.testdomain.local:8500" | |
# wait for vault to start | |
sleep 5 | |
# enable certificate authentication and upload the CA cert to vault | |
./vault auth enable cert | |
./vault write auth/cert/certs/web display_name=cacert policies=default,web,prod certificate=@certAuth.pem ttl=3600 | |
# finally - attempt a login using the user certificate we created above | |
./vault login -ca-cert=certAuth.pem -method=cert -client-cert=user.crt -client-key=user.key name=web |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment