Skip to content

Instantly share code, notes, and snippets.

@kgutwin

kgutwin/make-ca.sh

Created June 30, 2015 15:23
Show Gist options
  • Save kgutwin/f74ace19eaf3902ba65f to your computer and use it in GitHub Desktop.
Save kgutwin/f74ace19eaf3902ba65f to your computer and use it in GitHub Desktop.
Download ZIP
Vault PKI testing script
Raw
make-ca.sh
#!/bin/bash
# taken from https://docs.docker.com/articles/https/
# you will have to enter a passphrase when prompted.
openssl genrsa -aes256 -out ca-key.pem 2048
openssl req -subj "/CN=$HOSTNAME" -new -x509 -days 365 -key ca-key.pem \
-sha256 -out ca.pem
#openssl genrsa -out server-key.pem 2048
#openssl req -subj "/CN=$HOSTNAME" -new -key server-key.pem -out server.csr
#echo subjectAltName = IP:127.0.0.1 > extfile.cnf
#openssl x509 -req -days 365 -in server.csr -CA ca.pem -CAkey ca-key.pem \
# -CAcreateserial -out server-cert.pem -extfile extfile.cnf
#openssl genrsa -out key.pem 2048
#openssl req -subj '/CN=client' -new -key key.pem -out client.csr
#echo extendedKeyUsage = clientAuth > extfile.cnf
#openssl x509 -req -days 365 -in client.csr -CA ca.pem -CAkey ca-key.pem \
# -CAcreateserial -out cert.pem -extfile extfile.cnf
Raw
test-pki.sh
#!/bin/bash
[ -f ca.pem ] || bash make-ca.sh
set -e
set -v
# Start vault server...
cat > config.json <<EOF
listener "tcp" {
address = "127.0.0.1:8300"
tls_cert_file = "server-cert.pem"
tls_key_file = "server-key.pem"
}
EOF
vault server -dev -config=config.json &
VAULT_PID=$!
function finally {
kill $VAULT_PID
}
trap finally EXIT
sleep 1
# Configure backend
export VAULT_ADDR=http://127.0.0.1:8200
vault mount pki
if [ ! -f ca-bundle.pem ]; then
openssl rsa -in ca-key.pem -out ca-bundle.pem
cat ca.pem >> ca-bundle.pem
fi
vault write pki/config/ca pem_bundle="@ca-bundle.pem"
vault write pki/roles/dswmpoc \
allowed_base_domain="dswm-poc.biogen.com" \
allow_subdomains="true" lease_max="72h"
# Request a certificate
vault write -format=json pki/issue/dswmpoc \
common_name=blah.dswm-poc.biogen.com > newcert.json
python <<EOF
import json
data = json.load(open('newcert.json'))
open('newcert-ca.pem','w' ).write(data['data']['issuing_ca']+'\n')
open('newcert-cert.pem','w').write(data['data']['certificate']+'\n')
open('newcert-key.pem','w' ).write(data['data']['private_key']+'\n')
EOF
openssl verify -CAfile newcert-ca.pem newcert-cert.pem
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment