manual PKI creation script

manual_pki.sh

export VAULT_ADDR=https://localhost:8200
export VAULT_TOKEN=root

# Root CA
vault secrets enable -path=pki_root pki
# tune to 10 years
vault secrets tune -max-lease-ttl=87600h pki_root

# Generate internal certificate
vault write -field=certificate pki_root/root/generate/internal \
     common_name="example.com" \
     issuer_name="root-2024" \
     ttl=87600h > root_2024_ca.crt

# Configure root CA CRL and CA public endpoint
vault write pki/config/urls \
     issuing_certificates="$VAULT_ADDR/v1/pki_root/ca" \
     crl_distribution_points="$VAULT_ADDR/v1/pki_root/crl"


# Int CA in different namespace
# Mount the secret engine in different namespace
vault secrets enable -path=pki_int -namespace=$CHILD_CA pki

# Tune to 5 years
vault secrets tune -max-lease-ttl=43800h -namespace=$CHILD_CA pki_int

# Create the certificate signing request
vault write -format=json pki_int/intermediate/generate/internal \
     common_name="example.com Intermediate Authority" \
     | jq -r '.data.csr' > pki_intermediate.csr

# Sign the generated csr with the ca root
vault write -format=json pki_root/root/sign-intermediate \
     csr=@pki_intermediate.csr \
      ttl="43800h" \
     | jq -r '.data.certificate' > intermediate.cert.pem

# Add the signed cert to the int ca
vault write pki_int/intermediate/set-signed [email protected]

# Create leaf CA (Issuing CA)
vault write pki_int/roles/example-dot-com \
     allowed_domains="example.com" \
     allow_subdomains=true \
     max_ttl="720h"


# test leaf CA
vault write pki_int/issue/example-dot-com common_name="test.example.com" ttl="24h"