Forked from bhouse/vault_intermediate_ca_setup.sh
Last active
January 22, 2025 02:14
-
-
Save codekoala/888c02e2e63fd301e96d397bad5a0bdc to your computer and use it in GitHub Desktop.
Setting Up Hashicorp Vault with an intermediate CA based on https://gist.github.com/jefferai/092d2cd728ff66089f17
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash -e | |
| # Setup a Root CA in vault | |
| # Generate and sign an Intermediate cert | |
| # | |
| # Requires: | |
| # * A running vault server already initialzed and unsealed | |
| # * Environment variable VAULT_TOKEN is set | |
| # * vault cli (https://www.vaultproject.io) | |
| # * httpie (https://github.com/jkbrzt/httpie) | |
| # * jq (https://stedolan.github.io/jq/) | |
| # | |
| # Note: we use httpie + jq because vault write commands aren't able to return | |
| # formatted json for parsing | |
| # Mount a PKI backend for the root Certificate authority | |
| echo "Creating root CA" | |
| vault mount -path=root_ca pki | |
| # Set the max TTL for the root CA to 10 years | |
| echo "Tuning root CA" | |
| vault mount-tune -max-lease-ttl="87600h" root_ca | |
| # Generate the root CA keypair, the key is stored internally to vault | |
| echo "Generating root CA cert" | |
| vault write root_ca/root/generate/internal common_name="Acme Inc. Root CA" ttl="87600h" | |
| # TODO: setup CRL and OCSP urls | |
| # Mount the intermediate CA for the zone | |
| echo "Creating intermediate CA" | |
| vault mount -path=intermediate_acme_com pki | |
| # Set the max TTL for acme.com certs to 1 year | |
| echo "Tuning intermediate CA" | |
| vault mount-tune -max-lease-ttl=8760h intermediate_acme_com | |
| # Generate CSR for acme.com to be signed by the root CA, the key is stored | |
| # internally to vault | |
| echo "Generating intermediate CSR" | |
| http POST http://127.0.0.1:8200/v1/intermediate_acme_com/intermediate/generate/internal X-Vault-Token:$VAULT_TOKEN common_name=acme.com | jq -r .data.csr > acme_com.csr | |
| # Generate and sign the acme.com certificate as an intermediate CA | |
| echo "Get intermediate cert" | |
| http POST http://127.0.0.1:8200/v1/root_ca/root/sign-intermediate X-Vault-Token:$VAULT_TOKEN ttl="8760h" csr=@acme_com.csr | jq -r .data.certificate > acme_com.crt | |
| # Add signed acme.com certificate to intermediate CA backend | |
| echo "Add intermediate cert" | |
| vault write intermediate_acme_com/intermediate/set-signed certificate=@acme_com.crt | |
| # Create role for issuing acme.com certificates | |
| # Max least time is 14 days | |
| echo "Create a role for subdomain certs" | |
| vault write intermediate_acme_com/roles/acme_com allowed_domains="acme.com" lease_max="336h" allow_subdomains=true | |
| # Issue a cert for an acme.com subdomain valid for 1 week | |
| echo "Issue a subdomain cert" | |
| http POST http://127.0.0.1:8200/v1/intermediate_acme_com/issue/acme_com X-Vault-Token:$VAULT_TOKEN common_name="foo.acme.com" ttl="168h" | jq -r .data.private_key,.data.certificate,.data.issuing_ca > foo_acme_com.crt | |
| echo "Intermediate CA cert:" | |
| openssl x509 -in acme_com.crt -noout -subject -issuer | |
| echo "Subdomain Cert:" | |
| openssl x509 -in foo_acme_com.crt -noout -subject -issuer |
use command -v instead of hash for portability and to avoid unneeded dependencies.
Why not use curl or wget? Both are far more likely to be installed on most systems.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Should check that openssl is present as well.