frntn/vault-unattended-pki
Prerequisites
The following binaries are in your system's PATH :
- bash >=4.3
- vault >=0.9.0
- jq >= 1.5
Usage
Start the script
$ ./demo.sh
What it does
Basically the script starts vault, and use its pki
mount point to create and configure :
- The ROOT Certificate Authority
- An INTERMEDIATE Certificate Authority
It then create and use relevant token (i.e. "user session") w/ attached policy (i.e. "access control list") to issue server and client certificate.
Last step shows how to create a P12 archive with the client cert and private key
Output Files
See .gitignore
for list of generated files with relevant comment
If you want to check your generated server certificate (for example) :
$ openssl x509 -in server.pem.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
2f:24:73:83:86:11:d9:1b:70:ef:86:16:9b:54:d4:2a:6f:94:1a:db
Signature Algorithm: ecdsa-with-SHA256
Issuer: CN=ACME Authority - L1
Validity
Not Before: Nov 22 14:07:00 2017 GMT
Not After : Nov 25 14:07:30 2017 GMT
Subject: CN=admin.staging.acme.inc
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:7e:0b:38:0b:4e:53:1b:41:81:28:31:48:05:12:
8c:09:56:a9:eb:bb:58:d4:fd:83:7d:bf:51:5c:a6:
57:25:db:5a:3c:53:10:9d:1e:78:38:1a:78:bd:70:
1f:5d:cc:29:36:cc:26:6a:d1:04:da:d0:2d:14:f1:
f4:b9:c7:cc:3a
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment, Key Agreement
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Key Identifier:
FF:61:BA:80:65:E1:E2:03:5C:E2:74:82:DD:EB:8F:11:84:3F:53:EC
X509v3 Authority Key Identifier:
keyid:84:C4:EB:0A:30:86:78:7B:F3:C8:CB:9B:8B:9F:86:3F:7F:63:01:B9
Authority Information Access:
CA Issuers - URI:https://pki.acme.inc/l1/ca
X509v3 Subject Alternative Name:
DNS:admin.staging.acme.inc
X509v3 CRL Distribution Points:
Full Name:
URI:https://pki.acme.inc/l1/crl
Signature Algorithm: ecdsa-with-SHA256
30:46:02:21:00:d7:81:f9:ab:1e:00:b1:cc:98:f4:bf:4a:c0:
6d:fe:a7:a0:ae:23:7a:8b:11:f8:22:2b:3a:51:e9:ab:a0:aa:
1f:02:21:00:d6:d7:50:1c:f6:fc:a7:79:4b:e1:62:cc:9f:3f:
bb:ae:02:42:d5:e5:dd:79:e0:57:e3:36:76:1e:79:51:75:b3
TODO
- Add TravisCI