68 lines
2.4 KiB
Plaintext
68 lines
2.4 KiB
Plaintext
vault mount pki
|
|
vault mount-tune -max-lease-ttl=438000h pki
|
|
vault write pki/root/generate/exported common_name=myvault.com ttl=438000h ip_sans=127.0.0.1
|
|
vi cacert.pem
|
|
vi cakey.pem
|
|
|
|
vaultcert.hcl
|
|
backend "inmem" {
|
|
}
|
|
disable_mlock = true
|
|
default_lease_ttl = "700h"
|
|
max_lease_ttl = "768h"
|
|
listener "tcp" {
|
|
address = "127.0.0.1:8200"
|
|
tls_cert_file = "./cacert.pem"
|
|
tls_key_file = "./cakey.pem"
|
|
}
|
|
========================================
|
|
vault mount pki
|
|
vault mount-tune -max-lease-ttl=438000h pki
|
|
vault write pki/root/generate/exported common_name=myvault.com ttl=438000h max_ttl=438000h ip_sans=127.0.0.1
|
|
vi testcacert1.pem
|
|
vi testcakey1.pem
|
|
vi testcaserial1
|
|
|
|
vault write pki/config/urls issuing_certificates="http://127.0.0.1:8200/v1/pki/ca" crl_distribution_points="http://127.0.0.1:8200/v1/pki/crl"
|
|
vault write pki/roles/myvault-dot-com allowed_domains=myvault.com allow_subdomains=true ttl=437999h max_ttl=438000h allow_ip_sans=true
|
|
|
|
vault write pki/issue/myvault-dot-com common_name=cert.myvault.com format=pem ip_sans=127.0.0.1
|
|
vi testissuedserial1
|
|
|
|
vault write pki/issue/myvault-dot-com common_name=cert.myvault.com format=pem ip_sans=127.0.0.1
|
|
vi testissuedcert2.pem
|
|
vi testissuedkey2.pem
|
|
vi testissuedserial2
|
|
|
|
vault write pki/issue/myvault-dot-com common_name=cert.myvault.com format=pem ip_sans=127.0.0.1
|
|
vi testissuedserial3
|
|
|
|
vault write pki/issue/myvault-dot-com common_name=cert.myvault.com format=pem ip_sans=127.0.0.1
|
|
vi testissuedcert4.pem
|
|
vi testissuedkey4.pem
|
|
vi testissuedserial4
|
|
|
|
vault write pki/issue/myvault-dot-com common_name=cert.myvault.com format=pem ip_sans=127.0.0.1
|
|
vi testissuedserial5
|
|
|
|
vault write pki/revoke serial_number=$(cat testissuedserial2)
|
|
vault write pki/revoke serial_number=$(cat testissuedserial4)
|
|
curl -XGET "http://127.0.0.1:8200/v1/pki/crl/pem" -H "x-vault-token:123" > issuedcertcrl
|
|
openssl crl -in issuedcertcrl -noout -text
|
|
|
|
========================================
|
|
export VAULT_ADDR='http://127.0.0.1:8200'
|
|
vault mount pki
|
|
vault mount-tune -max-lease-ttl=438000h pki
|
|
vault write pki/root/generate/exported common_name=myvault.com ttl=438000h ip_sans=127.0.0.1
|
|
vi testcacert2.pem
|
|
vi testcakey2.pem
|
|
vi testcaserial2
|
|
vi testcacert2leaseid
|
|
|
|
vault write pki/config/urls issuing_certificates="http://127.0.0.1:8200/v1/pki/ca" crl_distribution_points="http://127.0.0.1:8200/v1/pki/crl"
|
|
vault revoke $(cat testcacert2leaseid)
|
|
|
|
curl -XGET "http://127.0.0.1:8200/v1/pki/crl/pem" -H "x-vault-token:123" > cacert2crl
|
|
openssl crl -in cacert2crl -noout -text
|