| vault mount pki |
| vault mount-tune -max-lease-ttl=438000h pki |
| vault write pki/root/generate/exported common_name=myvault.com ttl=438000h ip_sans=127.0.0.1 |
| vi cacert.pem |
| vi cakey.pem |
| |
| vaultcert.hcl |
| backend "inmem" { |
| } |
| disable_mlock = true |
| default_lease_ttl = "700h" |
| max_lease_ttl = "768h" |
| listener "tcp" { |
| address = "127.0.0.1:8200" |
| tls_cert_file = "./cacert.pem" |
| tls_key_file = "./cakey.pem" |
| } |
| ======================================== |
| vault mount pki |
| vault mount-tune -max-lease-ttl=438000h pki |
| vault write pki/root/generate/exported common_name=myvault.com ttl=438000h max_ttl=438000h ip_sans=127.0.0.1 |
| vi testcacert1.pem |
| vi testcakey1.pem |
| vi testcaserial1 |
| |
| vault write pki/config/urls issuing_certificates="http://127.0.0.1:8200/v1/pki/ca" crl_distribution_points="http://127.0.0.1:8200/v1/pki/crl" |
| vault write pki/roles/myvault-dot-com allowed_domains=myvault.com allow_subdomains=true ttl=437999h max_ttl=438000h allow_ip_sans=true |
| |
| vault write pki/issue/myvault-dot-com common_name=cert.myvault.com format=pem ip_sans=127.0.0.1 |
| vi testissuedserial1 |
| |
| vault write pki/issue/myvault-dot-com common_name=cert.myvault.com format=pem ip_sans=127.0.0.1 |
| vi testissuedcert2.pem |
| vi testissuedkey2.pem |
| vi testissuedserial2 |
| |
| vault write pki/issue/myvault-dot-com common_name=cert.myvault.com format=pem ip_sans=127.0.0.1 |
| vi testissuedserial3 |
| |
| vault write pki/issue/myvault-dot-com common_name=cert.myvault.com format=pem ip_sans=127.0.0.1 |
| vi testissuedcert4.pem |
| vi testissuedkey4.pem |
| vi testissuedserial4 |
| |
| vault write pki/issue/myvault-dot-com common_name=cert.myvault.com format=pem ip_sans=127.0.0.1 |
| vi testissuedserial5 |
| |
| vault write pki/revoke serial_number=$(cat testissuedserial2) |
| vault write pki/revoke serial_number=$(cat testissuedserial4) |
| curl -XGET "http://127.0.0.1:8200/v1/pki/crl/pem" -H "x-vault-token:123" > issuedcertcrl |
| openssl crl -in issuedcertcrl -noout -text |
| |
| ======================================== |
| export VAULT_ADDR='http://127.0.0.1:8200' |
| vault mount pki |
| vault mount-tune -max-lease-ttl=438000h pki |
| vault write pki/root/generate/exported common_name=myvault.com ttl=438000h ip_sans=127.0.0.1 |
| vi testcacert2.pem |
| vi testcakey2.pem |
| vi testcaserial2 |
| vi testcacert2leaseid |
| |
| vault write pki/config/urls issuing_certificates="http://127.0.0.1:8200/v1/pki/ca" crl_distribution_points="http://127.0.0.1:8200/v1/pki/crl" |
| vault revoke $(cat testcacert2leaseid) |
| |
| curl -XGET "http://127.0.0.1:8200/v1/pki/crl/pem" -H "x-vault-token:123" > cacert2crl |
| openssl crl -in cacert2crl -noout -text |