CCH0124 · July 4, 2023 00:56 · May 11, 2021 · Mar 9, 2021 · Mar 9, 2021 · Mar 6, 2021
diff --git a/vault-pki.sh b/vault-pki.sh
@@ -12,7 +12,7 @@ $ vault secrets tune -max-lease-ttl=87600h pki
 #   key is not exported!
 
 $ vault write -field=certificate pki/root/generate/internal \
-  common_name="istio-ca" ttl=87600h > CA_cert.crt
+  common_name="istio-ca-vault" ttl=87600h > CA_cert.crt
 
 
 # This generates a new self-signed CA certificate and private key. Vault will automatically

diff --git a/vault-pki.sh b/vault-pki.sh
@@ -20,10 +20,10 @@ $ vault write -field=certificate pki/root/generate/internal \
 
 # Configure the CA and CRL URLs:
 
-# If you deployed Vault by using Kelsey How to this is how to get the $VAULT_SERVICE_URL
+# If you deployed Vault by using Kelsey How to, this is how to get the: 
 #VAULT_SERVICE_URL=$(gcloud run services describe vault-server \
 #  --platform managed \
-#  --region us-west1 \
+#  --region xx-xxxx1 \
 #  --format 'value(status.url)')
 #
 # ex. VAULT_SERVICE_URL=https://vault-server-XXXXXXX-uw.a.run.app

diff --git a/vault-pki.sh b/vault-pki.sh
@@ -20,9 +20,17 @@ $ vault write -field=certificate pki/root/generate/internal \
 
 # Configure the CA and CRL URLs:
 
+# If you deployed Vault by using Kelsey How to this is how to get the $VAULT_SERVICE_URL
+#VAULT_SERVICE_URL=$(gcloud run services describe vault-server \
+#  --platform managed \
+#  --region us-west1 \
+#  --format 'value(status.url)')
+#
+# ex. VAULT_SERVICE_URL=https://vault-server-XXXXXXX-uw.a.run.app
+
  $  vault write pki/config/urls \
-    issuing_certificates="https://vault-server-XXXXXXX-uw.a.run.app/v1/pki/ca" \
-    crl_distribution_points="https://vault-server-XXXXXX-uw.a.run.app/v1/pki/crl"
+    issuing_certificates="${VAULT_SERVICE_URL}/v1/pki/ca" \
+    crl_distribution_points="${VAULT_SERVICE_URL}/v1/pki/crl"
 
 # Creating the intermediate CA's:
 # First, enable the pki secrets engine at the pki_int1/pki_int2 path:

diff --git a/vault-pki.sh b/vault-pki.sh
@@ -133,4 +133,10 @@ path "pki_int2/sign/istio-ca2"    { capabilities = ["create", "update"] }
 path "pki_int2/issue/istio-ca2"   { capabilities = ["create"] }
 EOF
 
-# These paths enable the token to view all the roles created for this PKI secrets engine and access the sign and issues operations for the istio-ca roles.
+# These paths enable the token to view all the roles created for this PKI secrets engine and access the sign and issues operations for the istio-ca roles.
+
+
+###### References: #######
+
+#1) https://www.vaultproject.io/docs/secrets/pki
+#2) https://learn.hashicorp.com/tutorials/vault/kubernetes-cert-manager#configure-pki-secrets-engine
diff --git a/vault-pki.sh b/vault-pki.sh
@@ -21,8 +21,8 @@ $ vault write -field=certificate pki/root/generate/internal \
 # Configure the CA and CRL URLs:
 
  $  vault write pki/config/urls \
-    issuing_certificates="https://vault-server-o2wqd4h6la-uw.a.run.app/v1/pki/ca" \
-    crl_distribution_points="https://vault-server-o2wqd4h6la-uw.a.run.app/v1/pki/crl"
+    issuing_certificates="https://vault-server-XXXXXXX-uw.a.run.app/v1/pki/ca" \
+    crl_distribution_points="https://vault-server-XXXXXX-uw.a.run.app/v1/pki/crl"
 
 # Creating the intermediate CA's:
 # First, enable the pki secrets engine at the pki_int1/pki_int2 path:

diff --git a/gistfile1.txt → vault-pki.sh b/gistfile1.txt → vault-pki.sh
@@ -1,4 +1,3 @@
-```bash
 # Creating the root CA:
 # First, enable the pki secrets engine at the pki path:
 
@@ -134,6 +133,4 @@ path "pki_int2/sign/istio-ca2"    { capabilities = ["create", "update"] }
 path "pki_int2/issue/istio-ca2"   { capabilities = ["create"] }
 EOF
 
-# These paths enable the token to view all the roles created for this PKI secrets engine and access the sign and issues operations for the istio-ca roles.
-
-````
+# These paths enable the token to view all the roles created for this PKI secrets engine and access the sign and issues operations for the istio-ca roles.
diff --git a/gistfile1.txt b/gistfile1.txt
@@ -1,3 +1,4 @@
+```bash
 # Creating the root CA:
 # First, enable the pki secrets engine at the pki path:
 
@@ -135,3 +136,4 @@ EOF
 
 # These paths enable the token to view all the roles created for this PKI secrets engine and access the sign and issues operations for the istio-ca roles.
 
+````
diff --git a/gistfile1.txt b/gistfile1.txt
@@ -0,0 +1,137 @@
+# Creating the root CA:
+# First, enable the pki secrets engine at the pki path:
+
+$ vault secrets enable pki
+
+# Tune the pki secrets engine to issue certificates with a maximum time-to-live (TTL) 
+#   of 87600 hours (10 years):
+
+$ vault secrets tune -max-lease-ttl=87600h pki
+
+# Generate the root CA, extracting the root CA's certificate to CA_cert.crt; the secret
+#   key is not exported!
+
+$ vault write -field=certificate pki/root/generate/internal \
+  common_name="istio-ca" ttl=87600h > CA_cert.crt
+
+
+# This generates a new self-signed CA certificate and private key. Vault will automatically
+#   revoke the generated root at the end of its lease period (TTL); the CA certificate will sign its own Certificate Revocation List (CRL).
+
+# Configure the CA and CRL URLs:
+
+ $  vault write pki/config/urls \
+    issuing_certificates="https://vault-server-o2wqd4h6la-uw.a.run.app/v1/pki/ca" \
+    crl_distribution_points="https://vault-server-o2wqd4h6la-uw.a.run.app/v1/pki/crl"
+
+# Creating the intermediate CA's:
+# First, enable the pki secrets engine at the pki_int1/pki_int2 path:
+
+# Cluster1
+$ vault secrets enable -path=pki_int1 pki
+
+# Cluster2
+$ vault secrets enable -path=pki_int2 pki
+
+
+# Tune the pki_int secrets engine to issue certificates with a maximum time-to-live (TTL)
+#   of 43800 hours (5 years):
+
+$ vault secrets tune -max-lease-ttl=43800h pki_int1
+
+$ vault secrets tune -max-lease-ttl=43800h pki_int2
+
+
+$ vault secrets list
+Path          Type         Accessor              Description
+----          ----         --------              -----------
+cubbyhole/    cubbyhole    cubbyhole_7c412e02    per-token private secret storage
+identity/     identity     identity_67658f5b     identity store
+pki/          pki          pki_2186b992          n/a
+pki_int1/     pki          pki_e2f26ce3          n/a
+pki_int2/     pki          pki_9e1f1ff2          n/a
+sys/          system       system_2682ba87       system endpoints used for control, policy and debugging
+
+# Execute the following commands to generate the intermediate CA's and save the CSR as 
+#   pki_intermediate1.csr:
+
+$ vault write -format=json pki_int1/intermediate/generate/internal \
+        common_name="Istio-ca Intermediate Authority1" \
+        | jq -r '.data.csr' > pki_intermediate1.csr
+
+$ vault write -format=json pki_int2/intermediate/generate/internal \
+        common_name="Istio-ca Intermediate Authority2" \
+        | jq -r '.data.csr' > pki_intermediate2.csr        
+
+
+# The above command has left a Certificate Signing Request output into your current directory - pki_intermediate.csr
+
+
+# Sign the intermediate certificate with the root certificate and save the generated
+#   certificate as intermediate.cert.pem:
+
+
+$ vault write -format=json pki/root/sign-intermediate csr=@pki_intermediate1.csr \
+        format=pem ttl="43800h" \
+        | jq -r '.data.certificate' > intermediate1.cert.pem
+
+
+$ vault write -format=json pki/root/sign-intermediate csr=@pki_intermediate2.csr \
+        format=pem ttl="43800h" \
+        | jq -r '.data.certificate' > intermediate2.cert.pem
+
+
+# append the RootCA to the pem to create a chain
+
+cat intermediate1.cert.pem > intermediate1.chain.pem
+cat CA_cert.crt >> intermediate1.chain.pem  
+
+cat intermediate2.cert.pem > intermediate2.chain.pem
+cat CA_cert.crt >> intermediate2.chain.pem 
+
+# Once the CSR is signed and the root CA returns a certificate, it can be imported back 
+#   into Vault:
+
+
+$ vault write pki_int1/intermediate/set-signed [email protected]
+
+$ vault write pki_int2/intermediate/set-signed [email protected]
+
+
+# Configure a role named istio-ca that enables the creation of certificates istio-ca domain with any name.
+
+
+# Cluster1
+$ vault write pki_int1/roles/istio-ca1 \
+    allowed_domains=istio-ca \
+    allow_any_name=true  \
+    enforce_hostnames=false \
+    require_cn=false \
+    allowed_uri_sans="spiffe://*" \
+    max_ttl=72h
+
+# Cluster2
+$ vault write pki_int2/roles/istio-ca2 \
+    allowed_domains=istio-ca \
+    allow_any_name=true  \
+    enforce_hostnames=false \
+    require_cn=false \
+    allowed_uri_sans="spiffe://*" \
+    max_ttl=72h
+
+# The role, istio-ca, is a logical name that maps to a policy used to generate credentials. This generates a number of endpoints that are used by the Kubernetes service account to issue and sign these certificates. A policy must be created that enables these paths.
+
+# Create a policy named pki-istio-ca that enables read access to the PKI secrets engine paths.
+
+$ vault policy write pki-istio-ca - <<EOF
+path "pki*"                        { capabilities = ["read", "list"] }
+path "pki_int1/roles/istio-ca1"   { capabilities = ["create", "update"] }
+path "pki_int1/sign/istio-ca1"    { capabilities = ["create", "update"] }
+path "pki_int1/issue/istio-ca1"   { capabilities = ["create"] }
+path "pki_int2/roles/istio-ca2"   { capabilities = ["create", "update"] }
+path "pki_int2/sign/istio-ca2"    { capabilities = ["create", "update"] }
+path "pki_int2/issue/istio-ca2"   { capabilities = ["create"] }
+EOF
+
+# These paths enable the token to view all the roles created for this PKI secrets engine and access the sign and issues operations for the istio-ca roles.
+
No results found