This gist is a quick-and-dirty bash script, designed for OS X Darwin, that will complete a working proof-of-concept TLS certificate auth against a HashiCorp vault binary

vaultCACertTest.sh

#!/bin/bash
# credit to @v6 (https://github.com/v6) for the gist this grew from

VAULTFQDN=vault.testdomain.local
USERNAME=davesusername

# Figure out what the latest version of vault is. This script only works on OS X right now, so don't worry about architecture.
VAULTLATESTDIR=`curl -s https://releases.hashicorp.com/vault/ | grep href | grep -v - | grep -v "\.\." | head -n1 | awk -F"\"" '{print $2}'`
VAULTLATESTBIN=`curl -s https://releases.hashicorp.com/vault/ | grep href | grep -v - | grep -v "\.\." | head -n1 | awk -F">" '{print $2}' | awk -F"<" '{print $1}'`
echo "Latest version directory is $VAULTLATESTDIR"
echo "Latest version binary is $VAULTLATESTBIN"
FULLURL="https://releases.hashicorp.com${VAULTLATESTDIR}${VAULTLATESTBIN}_darwin_amd64.zip"
echo "Fetching Vault from $FULLURL"
curl $FULLURL > ${VAULTLATESTBIN}_darwin_amd64.zip
unzip -o ${VAULTLATESTBIN}_darwin_amd64.zip

# dump the contents of the Certificate Authority config file into a conf
cat << EOF > caconf.certAuth.conf
[ req ]
# Options for the req tool (man req).
default_bits        = 4096
distinguished_name  = req_distinguished_name
string_mask         = utf8only

# SHA-1 is deprecated, please use SHA-2 or greater instead.
default_md          = sha384

# Extension to add when the -x509 option is used.
x509_extensions     = v3_ca

[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
stateOrProvinceName             = State or Province Name
localityName                    = Locality Name
0.organizationName              = Organization Name
organizationalUnitName          = Organizational Unit Name
commonName                      = Common Name
emailAddress                    = Email Address

# Optionally, specify some defaults.
countryName_default             = US
stateOrProvinceName_default     = CA
localityName_default            = San Francisco
0.organizationName_default      = HashiCorpTesting
organizationalUnitName_default  = Testing
emailAddress_default            = certtesting@hashicorptesting.com

[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
EOF

# make a CA cert key and then a csr, then sign the csr
openssl genrsa -out certAuth.key 2048
openssl req -x509 -new -nodes -key certAuth.key -sha256 -days 2014 -out certAuth.pem -config caconf.certAuth.conf -extensions v3_ca -subj "/CN=DavesGenericCA"

# VAULT INSTANCE CERT - generate a key and CSR
openssl req -new -newkey rsa:2048 -nodes -keyout vault.key -out vault.csr -subj "/CN=$VAULTFQDN"

cat << EOF > caconf.vault.conf
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = $VAULTFQDN
EOF

# sign the vault server CSR with the CA we created above
openssl x509 -req -in vault.csr -CA certAuth.pem -CAkey certAuth.key -CAcreateserial -out vault.crt -days 365 -sha256 -extfile caconf.vault.conf

# USER IDENTIFICATION CERT - generate a key and CSR
openssl req -new -newkey rsa:2048 -nodes -keyout user.key -out user.csr -subj "/CN=$USERNAME"

cat << EOF > caconf.user.conf
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection
subjectAltName = @alt_names

[alt_names]
DNS.1 = $USERNAME
EOF

# sign the vault server CSR with the CA we created above
openssl x509 -req -in user.csr -CA certAuth.pem -CAkey certAuth.key -CAcreateserial -out user.crt -days 365 -sha256 -extfile caconf.user.conf

# convert the user cert to pfx so we can import it into the OS certificate store. we are not using this method in this demo script, but you could use this within a browser to test TLS auth
openssl pkcs12 -export -nodes -out user.pfx -inkey user.key -in user.crt -certfile user.crt -passout pass:

# import the CA cert into the OS's root store as trusted.
echo ""
echo ""
echo " ** THIS SCRIPT IS GOING TO REQUEST SUDO ACCESS NOW. PLEASE ENTER YOUR PASSWORD WHEN PROMPTED. ** "
echo ""
echo ""
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain certAuth.pem

# push the hostname of the vault server we're hosting into hosts file
sudo echo "127.0.0.1 vault.testdomain.local" >> /etc/hosts

# dev mode vault server listens on 8200 by default, so add a listener to a new port that we can set up with tls
cat << EOF > vault.hcl
listener "tcp" {
  address = "0.0.0.0:8500"
  tls_disable = false
  tls_cert_file = "vault.crt"
  tls_key_file  = "vault.key"
  tls_client_ca_file = "certAuth.pem"
  tls_require_and_verify_client_cert = false
}
EOF

# start vault in dev mode with the config above
nohup ./vault server -dev -config=vault.hcl > vault_verbose.log &

# set up the vault CLI
export VAULT_ADDR="https://vault.testdomain.local:8500"

# wait for vault to start
sleep 5

# enable certificate authentication and upload the CA cert to vault
./vault auth enable cert
./vault write auth/cert/certs/web display_name=cacert policies=default,web,prod certificate=@certAuth.pem ttl=3600

# finally - attempt a login using the user certificate we created above
./vault login -ca-cert=certAuth.pem -method=cert -client-cert=user.crt -client-key=user.key  name=web