46 lines
1.6 KiB
Bash
46 lines
1.6 KiB
Bash
#!/bin/sh
|
|
|
|
vault secrets enable pki
|
|
vault secrets tune -max-lease-ttl=87600h pki
|
|
|
|
vault write -field=certificate pki/root/generate/internal \
|
|
common_name="ego.io" \
|
|
ttl=87600h > CA_cert.crt
|
|
|
|
vault write pki/config/urls \
|
|
issuing_certificates="https://127.0.0.1:8200/v1/pki/ca" \
|
|
crl_distribution_points="https://127.0.0.1:8200/v1/pki/crl"
|
|
|
|
vault secrets enable -path=pki_int pki
|
|
vault secrets tune -max-lease-ttl=43800h pki_int
|
|
|
|
vault write -format=json pki_int/intermediate/generate/internal \
|
|
common_name="ego.io Intermediate Authority" \
|
|
| jq -r '.data.csr' > pki_intermediate.csr
|
|
|
|
vault write -format=json pki/root/sign-intermediate csr=@pki_intermediate.csr \
|
|
format=pem_bundle ttl="43800h" \
|
|
| jq -r '.data.certificate' > intermediate.cert.pem
|
|
|
|
vault write pki_int/intermediate/set-signed certificate=@intermediate.cert.pem
|
|
|
|
vault write pki_int/roles/ego.io \
|
|
allowed_domains="ego.io" \
|
|
allow_subdomains=true \
|
|
generate_lease=true \
|
|
max_ttl="720h"
|
|
|
|
vault write pki_int/issue/ego.io \
|
|
common_name="catalog.service.ego.io" \
|
|
ttl="24h" | tee certs.txt
|
|
|
|
|
|
# CONFIGURE CONSUL
|
|
mkdir -p /opt/consul/agent-certs
|
|
|
|
grep -Pzo "(?s)(?<=certificate)[^\-]*.*?END CERTIFICATE[^\n]*\n" certs.txt | sed 's/^\s*-/-/g' > /opt/consul/agent-certs/agent.crt
|
|
grep -Pzo "(?s)(?<=private_key)[^\-]*.*?END RSA PRIVATE KEY[^\n]*\n" certs.txt | sed 's/^\s*-/-/g' > /opt/consul/agent-certs/agent.key
|
|
grep -Pzo "(?s)(?<=issuing_ca)[^\-]*.*?END CERTIFICATE[^\n]*\n" certs.txt | sed 's/^\s*-/-/g' > /opt/consul/agent-certs/ca.crt
|
|
## FIXME ^^ invalid pattern flag...
|
|
|