From 95ade50a6104299b52f9bbc2e069ff65bd80ef7d Mon Sep 17 00:00:00 2001
From: ducoterra <ducoterra@gmail.com>
Date: Sun, 20 Jun 2021 21:04:53 -0400
Subject: [PATCH] Update README with more flexible instructions

Use variables and newer instructions to help with compatibility issues.
---
 README.md | 140 +++++++++++++++++++++++++++++++++++++++++-------------
 1 file changed, 106 insertions(+), 34 deletions(-)

diff --git a/README.md b/README.md
index b380d46..343510a 100644
--- a/README.md
+++ b/README.md
@@ -208,60 +208,93 @@ read_secrets:
 ### Create a CA
 
 ```bash
-# Note: 19800h is Apple's limit
-vault secrets enable -path=pki_dnet pki
-vault secrets tune -max-lease-ttl=19800h pki_dnet
+export ROOT_PATH=dnet
 
-vault write pki_dnet/root/generate/internal \
-    common_name=vault.ducoterra.net \
+# Note: 19800h is Apple's limit
+vault secrets enable -path=$ROOT_PATH pki
+vault secrets tune -max-lease-ttl=19800h $ROOT_PATH
+
+# Create a root CA
+vault write $ROOT_PATH/root/generate/internal \
+    common_name="Ducoterra Root CA" \
     ttl=19800h
 
-vault write pki_dnet/config/urls \
-    issuing_certificates="https://vault.ducoterra.net/v1/pki_dnet/ca" \
-    crl_distribution_points="https://vault.ducoterra.net/v1/pki_dnet/crl"
+# Create a CA URL
+vault write $ROOT_PATH/config/urls \
+    issuing_certificates="https://vault.ducoterra.net/v1/$ROOT_PATH/ca" \
+    crl_distribution_points="https://vault.ducoterra.net/v1/$ROOT_PATH/crl"
 ```
 
+Navigate to <https://vault.ducoterra.net/v1/$ROOT_PATH/ca> and download the CA. Import to your devices.
+
 ### Create an intermediate CA
 
 ```bash
-vault secrets enable -path=pki_dnet_int pki
-vault secrets tune -max-lease-ttl=19800h pki_dnet_int
-vault write -format=json pki_dnet_int/intermediate/generate/internal \
-    common_name="vault.ducoterra.net Intermediate Authority" \
-    | jq -r '.data.csr' > certs/pki_dnet_intermediate.csr
+export ROOT_PATH=dnet
+export PKI_PATH=dnet_inter
 
-vault write -format=json pki_dnet/root/sign-intermediate \
-    csr=@certs/pki_dnet_intermediate.csr format=pem_bundle ttl=19800h \
-    | jq -r '.data.certificate' > certs/pki_dnet_intermediate.cert.pem
+vault secrets enable -path=$PKI_PATH pki
+vault secrets tune -max-lease-ttl=8760h $PKI_PATH
 
-vault write pki_dnet_int/intermediate/set-signed certificate=@certs/pki_dnet_intermediate.cert.pem
+# Create CSR to sign with root CA
+vault write -format=json $PKI_PATH/intermediate/generate/internal \
+    common_name="Ducoterra Intermediate CA" \
+    | jq -r '.data.csr' > certs/$PKI_PATH.csr
 
-vault write pki_dnet_int/config/urls \
-    issuing_certificates="https://vault.ducoterra.net/v1/pki_dnet_int/ca" \
-    crl_distribution_points="https://vault.ducoterra.net/v1/pki_dnet_int/crl"
+# Sign the CSR with the root CA
+vault write -format=json $ROOT_PATH/root/sign-intermediate \
+    csr=@certs/$PKI_PATH.csr format=pem_bundle ttl=8760h \
+    | jq -r '.data.certificate' > certs/$PKI_PATH.cert.pem
 
-vault write pki_dnet_int/roles/dnet \
-    allowed_domains=dnet \
-    allow_subdomains=true max_ttl=19800h
+# Save the signed cert to vault
+vault write $PKI_PATH/intermediate/set-signed certificate=@certs/$PKI_PATH.cert.pem
 
-vault write pki_dnet_int/roles/pi_hole \
-    allowed_domains=hole \
-    allow_subdomains=true max_ttl=19800h
+# Create a CA URL
+vault write $PKI_PATH/config/urls \
+    issuing_certificates="https://vault.ducoterra.net/v1/$PKI_PATH/ca" \
+    crl_distribution_points="https://vault.ducoterra.net/v1/$PKI_PATH/crl"
 ```
 
-Navigate to <https://vault.ducoterra.net/v1/pki_dnet_int/ca> and download the CA. Import to your devices.
+Navigate to <https://vault.ducoterra.net/v1/$PKI_PATH/ca> and download the CA. Import to your devices.
+
+### Allow .dnet and .hole certificates
+
+```bash
+export PKI_PATH=dnet_inter
+
+# Allow .dnet subdomain
+vault write $PKI_PATH/roles/dnet \
+    allowed_domains=dnet \
+    allow_subdomains=true max_ttl=8760h
+
+# Allow .hole subdomain
+vault write $PKI_PATH/roles/pi_hole \
+    allowed_domains=hole \
+    allow_subdomains=true max_ttl=8760h
+```
 
 ### Issue a certificate
 
 ```bash
-# Use -format=json to dump a json file
-vault write pki_dnet_int/issue/dnet \
-    common_name=freenas.dnet > certs/freenas.dnet.cert
+export PKI_PATH=dnet_inter
+export CNAME=freenas.dnet
 
-vault write pki_dnet_int/issue/pi_hole \
-    common_name=pi.hole > certs/pi.hole.cert
+# Use -format=json to dump a json file
+vault write $PKI_PATH/issue/dnet \
+    common_name=$CNAME \
+    max_ttl=8760h > certs/$CNAME.cert
+
+# Pihole Example
+vault write $PKI_PATH/issue/pi_hole \
+    common_name=$CNAME \
+    max_ttl=8760h > certs/$CNAME.cert
 ```
 
+#### Adding cert to freenas
+
+Only caveat here is to paste the certificate and then the full chain cert below in the
+"certificate" section. iOS will infintely refresh the page if the full chain isn't provided.
+
 #### Adding cert to pihole
 
 ```bash
@@ -278,6 +311,45 @@ vim /etc/lighttpd/external.conf
 service lighttpd restart
 ```
 
+#### Adding cert to cloudkey
+
+**THIS DOESN'T WORK**
+
+```bash
+service unifi stop
+
+# Remove the UNIFI_SSL_KEYSTORE=/etc/ssl/private/unifi.keystore.jks line from config
+cp /etc/default/unifi /etc/default/unifi.back
+vim /etc/default/unifi
+
+# Remove the keystore reference
+mv /usr/lib/unifi/data/keystore /usr/lib/unifi/data/keystore.back
+
+# Copy your primary SSL Certificate into /etc/ssl/private/cloudkey.crt
+cp /etc/ssl/private/cloudkey.crt /etc/ssl/private/cloudkey.crt.back
+vim /etc/ssl/private/cloudkey.crt
+
+# Copy your private key into /etc/ssl/private/cloudkey.key
+cp /etc/ssl/private/cloudkey.key /etc/ssl/private/cloudkey.key.back
+vim /etc/ssl/private/cloudkey.key
+
+# Add the CA to /etc/ssl/private/vault-ca.pem
+vim /etc/ssl/private/vault-ca.pem
+
+# Generate the key bundle
+openssl pkcs12 -export -in /etc/ssl/private/cloudkey.crt -inkey \
+/etc/ssl/private/cloudkey.key -out /etc/ssl/private/cloudkey.p12 \
+-name unifi -CAfile /etc/ssl/private/vault-ca.pem -caname vault -password pass:temppass
+
+# Import to keystore
+# Default password is "aircontrolenterprise"
+keytool -importkeystore -deststorepass aircontrolenterprise \
+-destkeypass aircontrolenterprise -destkeystore /usr/lib/unifi/data/keystore \
+-srckeystore /etc/ssl/private/cloudkey.p12 -srcstoretype PKCS12 -srcstorepass temppass -alias unifi -noprompt
+
+service unifi start
+```
+
 ### Revoke a certificate
 
 ```bash
@@ -298,13 +370,13 @@ EOF
 vault write auth/kubernetes/role/issuer \
     bound_service_account_names=issuer \
     bound_service_account_namespaces=cert-manager \
-    policies=pki_dnet \
+    policies=pki_dnet_int \
     ttl=20m
 
 kubectl -n cert-manager create serviceaccount issuer
 ISSUER_SECRET_REF=$(kubectl -n cert-manager get serviceaccount issuer -o json | jq -r ".secrets[].name")
 
-cat > cert-manager/vault-issuer.yaml <<EOF
+cat > cert-manager/vault-clusterissuer.yaml <<EOF
 apiVersion: cert-manager.io/v1
 kind: ClusterIssuer
 metadata: