kgutwin · June 30, 2015 15:23
diff --git a/make-ca.sh b/make-ca.sh
 #!/bin/bash

 # taken from https://docs.docker.com/articles/https/
 # you will have to enter a passphrase when prompted.

 openssl genrsa -aes256 -out ca-key.pem 2048
 openssl req -subj "/CN=$HOSTNAME" -new -x509 -days 365 -key ca-key.pem \
 	-sha256 -out ca.pem
 #openssl genrsa -out server-key.pem 2048
 #openssl req -subj "/CN=$HOSTNAME" -new -key server-key.pem -out server.csr
 #echo subjectAltName = IP:127.0.0.1 > extfile.cnf
 #openssl x509 -req -days 365 -in server.csr -CA ca.pem -CAkey ca-key.pem \
 #	-CAcreateserial -out server-cert.pem -extfile extfile.cnf
 #openssl genrsa -out key.pem 2048
 #openssl req -subj '/CN=client' -new -key key.pem -out client.csr
 #echo extendedKeyUsage = clientAuth > extfile.cnf
 #openssl x509 -req -days 365 -in client.csr -CA ca.pem -CAkey ca-key.pem \
 #	-CAcreateserial -out cert.pem -extfile extfile.cnf
diff --git a/test-pki.sh b/test-pki.sh
 #!/bin/bash

 [ -f ca.pem ] || bash make-ca.sh

 set -e
 set -v

 # Start vault server...
 cat > config.json <<EOF
 listener "tcp" {
  address = "127.0.0.1:8300"
  tls_cert_file = "server-cert.pem"
  tls_key_file = "server-key.pem"
 }
 EOF
 vault server -dev -config=config.json &
 VAULT_PID=$!
 function finally {
    kill $VAULT_PID
 }
 trap finally EXIT
 sleep 1

 # Configure backend
 export VAULT_ADDR=http://127.0.0.1:8200
 vault mount pki
 if [ ! -f ca-bundle.pem ]; then
    openssl rsa -in ca-key.pem -out ca-bundle.pem
    cat ca.pem >> ca-bundle.pem
 fi
 vault write pki/config/ca pem_bundle="@ca-bundle.pem"
 vault write pki/roles/dswmpoc \
      allowed_base_domain="dswm-poc.biogen.com" \
      allow_subdomains="true" lease_max="72h"

 # Request a certificate
 vault write -format=json pki/issue/dswmpoc \
      common_name=blah.dswm-poc.biogen.com > newcert.json

 python <<EOF
 import json
 data = json.load(open('newcert.json'))
 open('newcert-ca.pem','w'  ).write(data['data']['issuing_ca']+'\n')
 open('newcert-cert.pem','w').write(data['data']['certificate']+'\n')
 open('newcert-key.pem','w' ).write(data['data']['private_key']+'\n')
 EOF

 openssl verify -CAfile newcert-ca.pem newcert-cert.pem
	#!/bin/bash

	# taken from https://docs.docker.com/articles/https/
	# you will have to enter a passphrase when prompted.

	openssl genrsa -aes256 -out ca-key.pem 2048
	openssl req -subj "/CN=$HOSTNAME" -new -x509 -days 365 -key ca-key.pem \
	-sha256 -out ca.pem
	#openssl genrsa -out server-key.pem 2048
	#openssl req -subj "/CN=$HOSTNAME" -new -key server-key.pem -out server.csr
	#echo subjectAltName = IP:127.0.0.1 > extfile.cnf
	#openssl x509 -req -days 365 -in server.csr -CA ca.pem -CAkey ca-key.pem \
	# -CAcreateserial -out server-cert.pem -extfile extfile.cnf
	#openssl genrsa -out key.pem 2048
	#openssl req -subj '/CN=client' -new -key key.pem -out client.csr
	#echo extendedKeyUsage = clientAuth > extfile.cnf
	#openssl x509 -req -days 365 -in client.csr -CA ca.pem -CAkey ca-key.pem \
	# -CAcreateserial -out cert.pem -extfile extfile.cnf
	#!/bin/bash

	[ -f ca.pem ] \|\| bash make-ca.sh

	set -e
	set -v

	# Start vault server...
	cat > config.json <<EOF
	listener "tcp" {
	address = "127.0.0.1:8300"
	tls_cert_file = "server-cert.pem"
	tls_key_file = "server-key.pem"
	}
	EOF
	vault server -dev -config=config.json &
	VAULT_PID=$!
	function finally {
	kill $VAULT_PID
	}
	trap finally EXIT
	sleep 1

	# Configure backend
	export VAULT_ADDR=http://127.0.0.1:8200
	vault mount pki
	if [ ! -f ca-bundle.pem ]; then
	openssl rsa -in ca-key.pem -out ca-bundle.pem
	cat ca.pem >> ca-bundle.pem
	fi
	vault write pki/config/ca pem_bundle="@ca-bundle.pem"
	vault write pki/roles/dswmpoc \
	allowed_base_domain="dswm-poc.biogen.com" \
	allow_subdomains="true" lease_max="72h"

	# Request a certificate
	vault write -format=json pki/issue/dswmpoc \
	common_name=blah.dswm-poc.biogen.com > newcert.json

	python <<EOF
	import json
	data = json.load(open('newcert.json'))
	open('newcert-ca.pem','w' ).write(data['data']['issuing_ca']+'\n')
	open('newcert-cert.pem','w').write(data['data']['certificate']+'\n')
	open('newcert-key.pem','w' ).write(data['data']['private_key']+'\n')
	EOF

	openssl verify -CAfile newcert-ca.pem newcert-cert.pem