services/vault
1
0
Fork 0
Code Issues 3 Pull Requests Projects Releases Wiki Activity

Update README with more flexible instructions

Browse Source 
Use variables and newer instructions to help with compatibility issues.
This commit is contained in:
ducoterra
2021-06-20 21:04:53 -04:00
parent b56a8e0c19
commit 95ade50a61
1 changed files with 106 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

140
README.md
View File

@@ -208,60 +208,93 @@ read_secrets:
### Create a CA ### Create a CA
```bash ```bash
# Note: 19800h is Apple's limit export ROOT_PATH=dnet
vault secrets enable -path=pki_dnet pki
vault secrets tune -max-lease-ttl=19800h pki_dnet
vault write pki_dnet/root/generate/internal \ # Note: 19800h is Apple's limit
common_name=vault.ducoterra.net \ vault secrets enable -path=$ROOT_PATH pki
vault secrets tune -max-lease-ttl=19800h $ROOT_PATH
# Create a root CA
vault write $ROOT_PATH/root/generate/internal \
common_name="Ducoterra Root CA" \
ttl=19800h ttl=19800h
vault write pki_dnet/config/urls \ # Create a CA URL
issuing_certificates="https://vault.ducoterra.net/v1/pki_dnet/ca" \ vault write $ROOT_PATH/config/urls \
crl_distribution_points="https://vault.ducoterra.net/v1/pki_dnet/crl" issuing_certificates="https://vault.ducoterra.net/v1/$ROOT_PATH/ca" \
crl_distribution_points="https://vault.ducoterra.net/v1/$ROOT_PATH/crl"
``` ```
Navigate to <https://vault.ducoterra.net/v1/$ROOT_PATH/ca> and download the CA. Import to your devices.
### Create an intermediate CA ### Create an intermediate CA
```bash ```bash
vault secrets enable -path=pki_dnet_int pki export ROOT_PATH=dnet
vault secrets tune -max-lease-ttl=19800h pki_dnet_int export PKI_PATH=dnet_inter
vault write -format=json pki_dnet_int/intermediate/generate/internal \
common_name="vault.ducoterra.net Intermediate Authority" \
| jq -r '.data.csr' > certs/pki_dnet_intermediate.csr
vault write -format=json pki_dnet/root/sign-intermediate \ vault secrets enable -path=$PKI_PATH pki
csr=@certs/pki_dnet_intermediate.csr format=pem_bundle ttl=19800h \ vault secrets tune -max-lease-ttl=8760h $PKI_PATH
| jq -r '.data.certificate' > certs/pki_dnet_intermediate.cert.pem
vault write pki_dnet_int/intermediate/set-signed certificate=@certs/pki_dnet_intermediate.cert.pem # Create CSR to sign with root CA
vault write -format=json $PKI_PATH/intermediate/generate/internal \
common_name="Ducoterra Intermediate CA" \
| jq -r '.data.csr' > certs/$PKI_PATH.csr
vault write pki_dnet_int/config/urls \ # Sign the CSR with the root CA
issuing_certificates="https://vault.ducoterra.net/v1/pki_dnet_int/ca" \ vault write -format=json $ROOT_PATH/root/sign-intermediate \
crl_distribution_points="https://vault.ducoterra.net/v1/pki_dnet_int/crl" csr=@certs/$PKI_PATH.csr format=pem_bundle ttl=8760h \
| jq -r '.data.certificate' > certs/$PKI_PATH.cert.pem
vault write pki_dnet_int/roles/dnet \ # Save the signed cert to vault
allowed_domains=dnet \ vault write $PKI_PATH/intermediate/set-signed certificate=@certs/$PKI_PATH.cert.pem
allow_subdomains=true max_ttl=19800h
vault write pki_dnet_int/roles/pi_hole \ # Create a CA URL
allowed_domains=hole \ vault write $PKI_PATH/config/urls \
allow_subdomains=true max_ttl=19800h issuing_certificates="https://vault.ducoterra.net/v1/$PKI_PATH/ca" \
crl_distribution_points="https://vault.ducoterra.net/v1/$PKI_PATH/crl"
``` ```
Navigate to <https://vault.ducoterra.net/v1/pki_dnet_int/ca> and download the CA. Import to your devices. Navigate to <https://vault.ducoterra.net/v1/$PKI_PATH/ca> and download the CA. Import to your devices.
### Allow .dnet and .hole certificates
```bash
export PKI_PATH=dnet_inter
# Allow .dnet subdomain
vault write $PKI_PATH/roles/dnet \
allowed_domains=dnet \
allow_subdomains=true max_ttl=8760h
# Allow .hole subdomain
vault write $PKI_PATH/roles/pi_hole \
allowed_domains=hole \
allow_subdomains=true max_ttl=8760h
```
### Issue a certificate ### Issue a certificate
```bash ```bash
# Use -format=json to dump a json file export PKI_PATH=dnet_inter
vault write pki_dnet_int/issue/dnet \ export CNAME=freenas.dnet
common_name=freenas.dnet > certs/freenas.dnet.cert
vault write pki_dnet_int/issue/pi_hole \ # Use -format=json to dump a json file
common_name=pi.hole > certs/pi.hole.cert vault write $PKI_PATH/issue/dnet \
common_name=$CNAME \
max_ttl=8760h > certs/$CNAME.cert
# Pihole Example
vault write $PKI_PATH/issue/pi_hole \
common_name=$CNAME \
max_ttl=8760h > certs/$CNAME.cert
``` ```
#### Adding cert to freenas
Only caveat here is to paste the certificate and then the full chain cert below in the
"certificate" section. iOS will infintely refresh the page if the full chain isn't provided.
#### Adding cert to pihole #### Adding cert to pihole
```bash ```bash
@@ -278,6 +311,45 @@ vim /etc/lighttpd/external.conf
service lighttpd restart service lighttpd restart
``` ```
#### Adding cert to cloudkey
**THIS DOESN'T WORK**
```bash
service unifi stop
# Remove the UNIFI_SSL_KEYSTORE=/etc/ssl/private/unifi.keystore.jks line from config
cp /etc/default/unifi /etc/default/unifi.back
vim /etc/default/unifi
# Remove the keystore reference
mv /usr/lib/unifi/data/keystore /usr/lib/unifi/data/keystore.back
# Copy your primary SSL Certificate into /etc/ssl/private/cloudkey.crt
cp /etc/ssl/private/cloudkey.crt /etc/ssl/private/cloudkey.crt.back
vim /etc/ssl/private/cloudkey.crt
# Copy your private key into /etc/ssl/private/cloudkey.key
cp /etc/ssl/private/cloudkey.key /etc/ssl/private/cloudkey.key.back
vim /etc/ssl/private/cloudkey.key
# Add the CA to /etc/ssl/private/vault-ca.pem
vim /etc/ssl/private/vault-ca.pem
# Generate the key bundle
openssl pkcs12 -export -in /etc/ssl/private/cloudkey.crt -inkey \
/etc/ssl/private/cloudkey.key -out /etc/ssl/private/cloudkey.p12 \
-name unifi -CAfile /etc/ssl/private/vault-ca.pem -caname vault -password pass:temppass
# Import to keystore
# Default password is "aircontrolenterprise"
keytool -importkeystore -deststorepass aircontrolenterprise \
-destkeypass aircontrolenterprise -destkeystore /usr/lib/unifi/data/keystore \
-srckeystore /etc/ssl/private/cloudkey.p12 -srcstoretype PKCS12 -srcstorepass temppass -alias unifi -noprompt
service unifi start
```
### Revoke a certificate ### Revoke a certificate
```bash ```bash
@@ -298,13 +370,13 @@ EOF
vault write auth/kubernetes/role/issuer \ vault write auth/kubernetes/role/issuer \
bound_service_account_names=issuer \ bound_service_account_names=issuer \
bound_service_account_namespaces=cert-manager \ bound_service_account_namespaces=cert-manager \
policies=pki_dnet \ policies=pki_dnet_int \
ttl=20m ttl=20m
kubectl -n cert-manager create serviceaccount issuer kubectl -n cert-manager create serviceaccount issuer
ISSUER_SECRET_REF=$(kubectl -n cert-manager get serviceaccount issuer -o json | jq -r ".secrets[].name") ISSUER_SECRET_REF=$(kubectl -n cert-manager get serviceaccount issuer -o json | jq -r ".secrets[].name")
cat > cert-manager/vault-issuer.yaml <<EOF cat > cert-manager/vault-clusterissuer.yaml <<EOF
apiVersion: cert-manager.io/v1 apiVersion: cert-manager.io/v1
kind: ClusterIssuer kind: ClusterIssuer
metadata: metadata: