v1.14.6/builtin/credential/cert/test-fixtures/generate.txt - hashicorp/vault - Git at Google

 vault mount pki
 vault mount-tune -max-lease-ttl=438000h pki
 vault write pki/root/generate/exported common_name=myvault.com ttl=438000h ip_sans=127.0.0.1
 vi cacert.pem
 vi cakey.pem

 vaultcert.hcl
 backend "inmem" {
 }
 disable_mlock = true
 default_lease_ttl = "700h"
 max_lease_ttl = "768h"
 listener "tcp" {
   address = "127.0.0.1:8200"
   tls_cert_file = "./cacert.pem"
   tls_key_file = "./cakey.pem"
 }
 ========================================
 vault mount pki
 vault mount-tune -max-lease-ttl=438000h pki
 vault write pki/root/generate/exported common_name=myvault.com ttl=438000h max_ttl=438000h ip_sans=127.0.0.1
 vi testcacert1.pem
 vi testcakey1.pem
 vi testcaserial1

 vault write pki/config/urls issuing_certificates="http://127.0.0.1:8200/v1/pki/ca" crl_distribution_points="http://127.0.0.1:8200/v1/pki/crl"
 vault write pki/roles/myvault-dot-com allowed_domains=myvault.com allow_subdomains=true ttl=437999h max_ttl=438000h allow_ip_sans=true

 vault write pki/issue/myvault-dot-com common_name=cert.myvault.com format=pem ip_sans=127.0.0.1
 vi testissuedserial1

 vault write pki/issue/myvault-dot-com common_name=cert.myvault.com format=pem ip_sans=127.0.0.1
 vi testissuedcert2.pem
 vi testissuedkey2.pem
 vi testissuedserial2

 vault write pki/issue/myvault-dot-com common_name=cert.myvault.com format=pem ip_sans=127.0.0.1
 vi testissuedserial3

 vault write pki/issue/myvault-dot-com common_name=cert.myvault.com format=pem ip_sans=127.0.0.1
 vi testissuedcert4.pem
 vi testissuedkey4.pem
 vi testissuedserial4

 vault write pki/issue/myvault-dot-com common_name=cert.myvault.com format=pem ip_sans=127.0.0.1
 vi testissuedserial5

 vault write pki/revoke serial_number=$(cat testissuedserial2)
 vault write pki/revoke serial_number=$(cat testissuedserial4)
 curl -XGET "http://127.0.0.1:8200/v1/pki/crl/pem" -H "x-vault-token:123" > issuedcertcrl
 openssl crl -in issuedcertcrl -noout -text

 ========================================
 export VAULT_ADDR='http://127.0.0.1:8200'
 vault mount pki
 vault mount-tune -max-lease-ttl=438000h pki
 vault write pki/root/generate/exported common_name=myvault.com ttl=438000h ip_sans=127.0.0.1
 vi testcacert2.pem
 vi testcakey2.pem
 vi testcaserial2
 vi testcacert2leaseid

 vault write pki/config/urls issuing_certificates="http://127.0.0.1:8200/v1/pki/ca" crl_distribution_points="http://127.0.0.1:8200/v1/pki/crl"
 vault revoke $(cat testcacert2leaseid)

 curl -XGET "http://127.0.0.1:8200/v1/pki/crl/pem" -H "x-vault-token:123" > cacert2crl
 openssl crl -in cacert2crl -noout -text
	vault mount pki
	vault mount-tune -max-lease-ttl=438000h pki
	vault write pki/root/generate/exported common_name=myvault.com ttl=438000h ip_sans=127.0.0.1
	vi cacert.pem
	vi cakey.pem

	vaultcert.hcl
	backend "inmem" {
	}
	disable_mlock = true
	default_lease_ttl = "700h"
	max_lease_ttl = "768h"
	listener "tcp" {
	address = "127.0.0.1:8200"
	tls_cert_file = "./cacert.pem"
	tls_key_file = "./cakey.pem"
	}
	========================================
	vault mount pki
	vault mount-tune -max-lease-ttl=438000h pki
	vault write pki/root/generate/exported common_name=myvault.com ttl=438000h max_ttl=438000h ip_sans=127.0.0.1
	vi testcacert1.pem
	vi testcakey1.pem
	vi testcaserial1

	vault write pki/config/urls issuing_certificates="http://127.0.0.1:8200/v1/pki/ca" crl_distribution_points="http://127.0.0.1:8200/v1/pki/crl"
	vault write pki/roles/myvault-dot-com allowed_domains=myvault.com allow_subdomains=true ttl=437999h max_ttl=438000h allow_ip_sans=true

	vault write pki/issue/myvault-dot-com common_name=cert.myvault.com format=pem ip_sans=127.0.0.1
	vi testissuedserial1

	vault write pki/issue/myvault-dot-com common_name=cert.myvault.com format=pem ip_sans=127.0.0.1
	vi testissuedcert2.pem
	vi testissuedkey2.pem
	vi testissuedserial2

	vault write pki/issue/myvault-dot-com common_name=cert.myvault.com format=pem ip_sans=127.0.0.1
	vi testissuedserial3

	vault write pki/issue/myvault-dot-com common_name=cert.myvault.com format=pem ip_sans=127.0.0.1
	vi testissuedcert4.pem
	vi testissuedkey4.pem
	vi testissuedserial4

	vault write pki/issue/myvault-dot-com common_name=cert.myvault.com format=pem ip_sans=127.0.0.1
	vi testissuedserial5

	vault write pki/revoke serial_number=$(cat testissuedserial2)
	vault write pki/revoke serial_number=$(cat testissuedserial4)
	curl -XGET "http://127.0.0.1:8200/v1/pki/crl/pem" -H "x-vault-token:123" > issuedcertcrl
	openssl crl -in issuedcertcrl -noout -text

	========================================
	export VAULT_ADDR='http://127.0.0.1:8200'
	vault mount pki
	vault mount-tune -max-lease-ttl=438000h pki
	vault write pki/root/generate/exported common_name=myvault.com ttl=438000h ip_sans=127.0.0.1
	vi testcacert2.pem
	vi testcakey2.pem
	vi testcaserial2
	vi testcacert2leaseid

	vault write pki/config/urls issuing_certificates="http://127.0.0.1:8200/v1/pki/ca" crl_distribution_points="http://127.0.0.1:8200/v1/pki/crl"
	vault revoke $(cat testcacert2leaseid)

	curl -XGET "http://127.0.0.1:8200/v1/pki/crl/pem" -H "x-vault-token:123" > cacert2crl
	openssl crl -in cacert2crl -noout -text