PKI infrastructure using Hashicorp Vault
So today we will quickly go through setting up vault as our PKI backend. Capabilities of vault are much more to what is shown here as we are just touching several out of many more options from Hashicorp Vault.
Idea here will be to create root CA and then intermediate CA to provide our users/servers with certificates based on our needs. Since I already have been playing a bit with vault I prepared myself quick script. But before we go there we have a list of pre requisites need for all of this to work:
- Vault server
- exported VAULT_ADDR and VAULT_TOKEN
- vault cli
- httpie (https://github.com/jkbrzt/httpie)
- jq (https://stedolan.github.io/jq/)
Building quickly vault server when you have a docker engine is easy as running
|
1 |
docker run -d --name vault -P --cap-add IPC_LOCK rafpe/docker-vault:latest server -dev-listen-address=0.0.0.0:8200 -dev |
which will bring up our container. From there we need to grab token ID which we will use later for calls to our servers.
Export the values
|
1 2 |
export VAULT_ADDR="http://my-server-address:my-port" export VAULT_TOKEN="my-token" |
Once done you can grab my init script below
Be sure to modify URL for your vault server and off you go 🙂
To create certificate you need to create a role and then make a request for issuing one
|
1 2 3 |
vault write rafpe_intermediate/roles/rafpe-engineer lease_max="336h" lease="336h" key_type="rsa" key_bits="2048" allow_any_name=true vault write rafpe_intermediate/issue/rafpe-engineer common_name="ninja.rafpe.engineer:rafpe" ttl=720h format=pem |
This will get you started. And in one of next posts we will use this infra for our HAproxy
