therandomsecurityguy/vault-pki.md

## vault-pki.md

      
    Raw
  

              vault-pki.md
            
          
    Vault PKI Root and Intermediate Certificates

Root Certificate

vault mount -path=pki-root pki

vault mount-tune -max-lease-ttl=87600h pki-root

# This will write a json file to the filesystem.
vault write -format=json pki-root/root/generate/exported \
  common_name=example.com \
  ttl=87600h \
	> root-exported.json

# Extract the key and ca
cat root-exported.json | jq -r '.data.certificate,.data.private_key' > intermediate.pem


Intermediate Certificate

vault mount -path=pki-services pki

vault mount-tune -max-lease-ttl=87600h pki-services

cat intermediate.pem | vault write pki-services/config/ca pem_bundle=-

vault write pki-services/roles/services \
  allow_bare_domains=true \
  allowed_domains="example.com" \
  allow_subdomains="true" \
  max_ttl="72h"

vault write pki-services/issue/services \
  common_name=www.example.com