-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdemo.sh
executable file
·228 lines (178 loc) · 9.04 KB
/
demo.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
#!/bin/bash
bld="$(tput bold)"
rst="$(tput sgr0)"
msg() {
case "$3" in
red) c=1;;
grn|green) c=10;;
ylw|yellow) c=11;;
blu|blue) c=12;;
*) c=15;;
esac
ctx="$1"
txt="$2"
col="$(tput setaf $c)"
echo
echo "${txt}" | awk '{print "==> '$col$ctx$rst': " $0}'
sleep 1
}
# =========================================================================== CLEANUP
killall vault 2>/dev/null
sleep 1
rm -f client.* server.* ca-root.* ca-inter.* vault.hcl unseal.keys *.token
rm -rf vault/
# =========================================================================== START SERVER
if [ ! -f vault.crt ] || [ ! -f vault.key ]
then
set -x
curl -sSL https://raw.githubusercontent.com/frntn/x509-san/master/gencert.sh | sed '1s/$/ -eux/' | CRT_CN="xoqnap" CRT_SAN="DNS.1:localhost,IP.1:127.0.0.1" CRT_FILENAME="vault" bash
set +x
fi
cat <<EOF > vault.hcl
backend "file" {
path = "vault"
}
listener "tcp" {
address = "127.0.0.1:8200"
tls_disable = 0
tls_cert_file = "vault.crt"
tls_key_file = "vault.key"
}
plugin_directory = "/etc/vault/plugins"
disable_mlock = true
EOF
export VAULT_SKIP_VERIFY=true
export VAULT_ADDR="https://127.0.0.1:8200"
nohup vault server -config=vault.hcl >/dev/null 2>&1 &
sleep 3
# =========================================================================== INIT/UNSEAL/AUTH
vault init -key-shares=1 -key-threshold=1 \
| tee \
>(awk '/^Initial Root Token:/{print $4}' > root.token) \
>(awk '/^Unseal Key/{print $4}' > unseal.keys)
vault unseal $(cat unseal.keys)
vault auth $(cat root.token)
# =========================================================================== IMPORTANT NOTE
echo "$bld
=============================================================================
IMPORTANT NOTE:
Vault uses mount points : kv, database, pki, aws, ...
The 'pki' mount points has one 'root' and one 'intermediate' => pki/root/xxx and pki/intermediate/xxx
BUT
The 'pki' mount points can have one and only one privatekey
Therefore one mount point cannot handle both Root & Intermediate CA
(See: https://github.com/hashicorp/vault/issues/1586#issuecomment-230300216)
SO
You'll need one 'pki' mount point per certificate of your certificate chain
=============================================================================
$rst
"
umask 377
# =========================================================================== ROOT
msg rootca-mount "Mount ROOT CA" red
vault mount -max-lease-ttl="87600h" -path="pki-root" -description="Acme - ROOT CA" pki
msg rootca-urls "Configure ROOT CA distribution endpoints (CA/CRL)" red
vault write pki-root/config/urls \
issuing_certificates="https://pki.acme.inc/l0/ca" \
crl_distribution_points="https://pki.acme.inc/l0/crl"
msg rootca-generate-crt "Generate ROOT CA (Self Signed)" red
vault write -format=json pki-root/root/generate/exported \
common_name="ACME Authority - L0" \
alt_names="acme.inc,*.acme.inc" \
key_type="ec" key_bits="256" \
| tee \
>(jq -r .data.certificate > ca-root.pem.crt) \
>(jq -r .data.issuing_ca > ca-root.issuing_ca.pem.crt) \
>(jq -r .data.private_key > ca-root.pem.key) \
>/dev/null
# =========================================================================== INTERMEDIATE
msg interca-mount "Mount INTERMEDIATE CA" ylw
vault mount -max-lease-ttl="8760h" -path="pki-inter" -description="Acme - INTERMEDIATE CA" pki
msg interca-urls "Configure INTERMEDIATE CA distribution endpoints (CA/CRL)" ylw
vault write pki-inter/config/urls \
issuing_certificates="https://pki.acme.inc/l1/ca" \
crl_distribution_points="https://pki.acme.inc/l1/crl"
msg interca-generate-csr "Generate the INTERMEDIATE CA Certificate Sign Request" ylw
vault write -format=json pki-inter/intermediate/generate/exported \
common_name="ACME Authority - L1" \
alt_names="acme.inc,*.acme.inc" \
key_type="ec" key_bits="256" \
exclude_cn_from_sans="true" \
| tee \
>(jq -r .data.csr > ca-inter.pem.csr) \
>(jq -r .data.private_key > ca-inter.pem.key) \
>/dev/null
msg rootca-sign-interca-csr "Retrieve the INTERMEDIATE CA Certificagte (i.e. sign the INTERMEDIATE CSR with the ROOT CA)" red
vault write -format=json pki-root/root/sign-intermediate \
common_name="ACME Authority - L1" \
alt_names="acme.inc,*.acme.inc" \
csr="@ca-inter.pem.csr" \
ttl="720h" \
| tee \
>(jq -r .data.certificate > ca-inter.pem.crt) \
>(jq -r .data.issuing_ca > ca-inter-issuing_ca.pem.crt) \
>/dev/null
msg interca-upload-crt "Upload INTERMEDIATE CA to vault" ylw
vault write pki-inter/intermediate/set-signed \
certificate="@ca-inter.pem.crt"
# =========================================================================== Role
msg interca-role "Create 'server' role to configure the to-be-created server certificates attributes" ylw
vault write pki-inter/roles/server \
client_flag="false" \
allow_any_name="false" \
allowed_domains="acme.inc" \
allow_subdomains="true" \
key_type="ec" key_bits="256" \
max_ttl="72h"
msg interca-role "Create 'client' role to configure the to-be-created client certificates attributes" ylw
vault write pki-inter/roles/client \
server_flag="false" \
enforce_hostnames="false" \
allow_any_name="true" \
key_type="ec" key_bits="256" \
max_ttl="72h"
# =========================================================================== Policy
msg sys-create-policy "Create 'pki-issue-server' policy allowed to issue server certificates' $bld#ACL$rst" blu
vault policy-write pki-issue-server \
<(echo 'path "pki-inter/issue/server" { policy = "write" }')
msg sys-create-policy "Create 'pki-issue-server' policy allowed to issue client certificates' $bld#ACL$rst" blu
vault policy-write pki-issue-client \
<(echo 'path "pki-inter/issue/client" { policy = "write" }')
# =========================================================================== Token
msg sys-create-token "Create 'server' token with the 'pki-issue-server' policy $bld#SESSION$rst" blu
vault token-create -format=json -policy=pki-issue-server \
| jq -r .auth.client_token \
> server.token
msg sys-create-token "Create 'client' token with the 'pki-issue-client' policy $bld#SESSION$rst" blu
vault token-create -format=json -policy=pki-issue-client \
| jq -r .auth.client_token \
> client.token
# =========================================================================== Auth + Generate Server Certificate
msg issue-servercrt "Authenticate to vault using the 'server' token $bld#AUTH$rst" grn
vault auth $(cat server.token)
msg issue-servercrt "Generate a server certificate ( exec command 'ls -l server.*' to see the private key, certificate, ca chain, issuing ca ) $bld#GENERATE$rst" grn
vault write -format=json pki-inter/issue/server \
common_name="admin.staging.acme.inc" \
| tee \
>(jq -r .data.certificate > server.pem.crt) \
>(jq -r .data.private_key > server.pem.key) \
>(jq -r .data.issuing_ca > server.issuing_ca.pem.crt) \
>(jq -r '.data.ca_chain | .[]' > server.ca_chain.pem.crt) \
>/dev/null
# =========================================================================== Auth + Generate Client Certificate
# Authentification et generation d'un certificat CLIENT
msg issue-clientcrt "Authenticate to vault using the 'client' token $bld#AUTH$rst" grn
vault auth $(cat client.token)
msg issue-clientcrt "Generate a client certificate ( exec command 'ls -l client.*' to see the private key, certificate, ca chain, issuing ca ) $bld#GENERATE$rst" grn
vault write -format=json pki-inter/issue/client \
common_name="Matthieu Fronton" \
| tee \
>(jq -r .data.certificate > client.pem.crt) \
>(jq -r .data.private_key > client.pem.key) \
>(jq -r .data.issuing_ca > client.issuing_ca.pem.crt) \
>(jq -r '.data.ca_chain | .[]' > client.ca_chain.pem.crt) \
>/dev/null
msg interca-issue-clientcrt "Pack client certificate & private key in one protected 'client.p12' file $bld#PKCS12$rst" grn
< /dev/urandom tr -dc "+=\-%*\!&#':;{}()[]|^~\$_2-9T-Z" | head -c65 > client.p12.pass
openssl pkcs12 -export -out client.p12 -passout file:client.p12.pass -inkey client.pem.key -in client.pem.crt
umask 022