Skip to content

Instantly share code, notes, and snippets.

@greyhoundforty

greyhoundforty/sm-private-ca.md

Last active October 9, 2024 13:47
Show Gist options
  • Save greyhoundforty/2108c6f66b7ba5312934a86aa339b7be to your computer and use it in GitHub Desktop.
Save greyhoundforty/2108c6f66b7ba5312934a86aa339b7be to your computer and use it in GitHub Desktop.
Download ZIP
Secrets Manager Private CA Setup
Raw
sm-private-ca.md

Create Root Certificate Authority

Create a file called root-ca.json and add the following:

{
    "config_type": "private_cert_configuration_root_ca",
    "name": "rst-cli-root-ca",
    "max_ttl": "43830h",
    "crl_expiry": "72h",
    "crl_disable": false,
    "crl_distribution_points_encoded": true,
    "issuing_certificates_urls_encoded": true,
    "common_name": "rst-cli-root-ca",
    "ttl": "43830h",
    "format": "pem",
    "private_key_format": "der",
    "key_type": "rsa",
    "key_bits": 4096,
    "max_path_length": -1,
    "exclude_cn_from_sans": false,
    "organization": ["Demo"],
    "country": ["US"],
    "locality": ["Houston"],
    "province": ["Texas"],
    "ou": ["Cloud"]
  }

Create the Root CA

ibmcloud secrets-manager configuration-create [email protected]

Create Intermediate CA

Create a file called intermediate-ca.json and add the following:

{
    "config_type": "private_cert_configuration_intermediate_ca",
    "name": "vpn-server-intermediate-ca",
    "max_ttl": "43830h",
    "crl_expiry": "72h",
    "crl_disable": false,
    "crl_distribution_points_encoded": true,
    "issuing_certificates_urls_encoded": true,
    "common_name": "vpn-server-intermediate-ca",
    "format": "pem",
    "private_key_format": "der",
    "key_type": "rsa",
    "key_bits": 4096,
    "exclude_cn_from_sans": false,
    "organization": ["Demo"],
    "country": ["US"],
    "locality": ["Houston"],
    "province": ["Texas"],
    "ou": ["Cloud"],
    "signing_method": "internal",
    "issuer": "vpn-server-root-ca"
  }

Create the intermediate CA

ibmcloud secrets-manager configuration-create [email protected]

VPN Server cert template

Create a file called server-cert-template.json and add the following:

{
  "config_type": "private_cert_configuration_template",
  "name": "rst-cli-cert-template",
  "certificate_authority": "rst-cli-intermediate-ca",
  "max_ttl": "8760h",
  "ttl": "8760h",
  "allow_localhost": true,
  "allow_any_name": true,
  "allow_ip_sans": false,
  "allow_subdomains": false,
  "allow_wildcard_certificates": false,
  "enforce_hostnames": false,
  "server_flag": true,
  "client_flag": false,
  "code_signing_flag": false,
  "email_protection_flag": false,
  "key_bits": 4096,
  "key_type": "rsa",
  "use_csr_common_name": false,
  "use_csr_sans": false,
  "organization": ["Demo"],
  "country": ["US"],
  "locality": ["Houston"],
  "province": ["Texas"],
  "ou": ["Cloud"]
}

Create the VPN Cert template

ibmcloud secrets-manager configuration-create [email protected]

Sign intermediate CA

Create a file called sign_ca.json and add the following:

{
  "action_type": "private_cert_configuration_action_sign_intermediate",
  "intermediate_certificate_authority": "rst-demo-intermediate-ca"
}
ibmcloud secrets-manager configuration-action-create --name ROOT_CA_NAME_HERE --config-action-prototype=@sign_ca.json

Create VPN Server Cert Secret

Create a file called server-cert.json and add the following:

{
  "name": "vpn-server-cert",
  "description": "TLS cert for VPN server",
  "secret_type": "private_cert",
  "secret_group_id": "5aba01bd-035f-7caa-dc6d-a5871c38829a",
  "certificate_template": "vpn-server-cert-template",
  "common_name": "vpn-server-cert",
  "ttl": "4190h",
  "rotation": {
    "auto_rotate": true,
    "interval": 1,
    "unit": "month"
  }
}

Create certificate secret

ibmcloud secrets-manager secret-create [email protected]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment