In [2]:
%%bash
cat ${WORKDIR}/cluster-keys.json | jq -r ".root_token"

hvs.U1bg5D68ENnrD2LCacSiLsef


## https://developer.hashicorp.com/vault/tutorials/secrets-management/pki-engine

![image.png](attachment:image.png)

In [3]:
%env VAULT_ADDR=https://127.0.0.1:8200
%env VAULT_TOKEN=hvs.U1bg5D68ENnrD2LCacSiLsef
%env VAULT_CACERT=/tmp/vault/vault.ca
%env CERT_NAME=2023

env: VAULT_ADDR=https://127.0.0.1:8200
env: VAULT_TOKEN=hvs.U1bg5D68ENnrD2LCacSiLsef
env: VAULT_CACERT=/tmp/vault/vault.ca
env: CERT_NAME=2023


In [4]:
%%bash
vault secrets list
vault secrets disable pki
vault secrets disable pki_int

Path          Type         Accessor              Description
----          ----         --------              -----------
cubbyhole/    cubbyhole    cubbyhole_433e3c15    per-token private secret storage
identity/     identity     identity_1d06d77f     identity store
sys/          system       system_9e33f463       system endpoints used for control, policy and debugging
Success! Disabled the secrets engine (if it existed) at: pki/
Success! Disabled the secrets engine (if it existed) at: pki_int/


## Step 1: Generate root CA

In [5]:
%%bash
# Enable PKI
vault secrets enable pki 
# Tune PKI to set max_tll
vault secrets tune -max-lease-ttl=87600h pki
# Generate rootCA (this command does not produce any output stdout)
vault write -field=certificate pki/root/generate/internal \
     common_name="example.com" \
     issuer_name="root-$CERT_NAME" \
     ttl=87600h > ${WORKDIR}/root_$CERT_NAME_ca.crt

Success! Enabled the pki secrets engine at: pki/
Success! Tuned the secrets engine at: pki/


In [6]:
%%bash
# List CA information
vault list -format=json pki/issuers/ | jq -r .[0]

vault read pki/issuer/$(vault list -format=json pki/issuers/ | jq -r .[0]) \
    | tail -n 11

1017c2db-7878-ba24-8193-b5b1508a38cd
crl_distribution_points           []
issuer_id                         1017c2db-7878-ba24-8193-b5b1508a38cd
issuer_name                       root-2023
issuing_certificates              []
key_id                            e1719abe-9829-6f2c-8228-f1ef3e74b2c8
leaf_not_after_behavior           err
manual_chain                      <nil>
ocsp_servers                      []
revocation_signature_algorithm    SHA256WithRSA
revoked                           false
usage                             crl-signing,issuing-certificates,ocsp-signing,read-only


In [7]:
%%bash
# Create a role that will allow for using certificates (in this case any name will be valid)
vault write pki/roles/$CERT_NAME-servers allow_any_name=true

Key                                   Value
---                                   -----
allow_any_name                        true
allow_bare_domains                    false
allow_glob_domains                    false
allow_ip_sans                         true
allow_localhost                       true
allow_subdomains                      false
allow_token_displayname               false
allow_wildcard_certificates           true
allowed_domains                       []
allowed_domains_template              false
allowed_other_sans                    []
allowed_serial_numbers                []
allowed_uri_sans                      []
allowed_uri_sans_template             false
allowed_user_ids                      []
basic_constraints_valid_for_non_ca    false
client_flag                           true
cn_validations                        [email hostname]
code_signing_flag                     false
country                               []
email_protection_flag                 false


In [8]:
%%bash
# Configure CA and CRL ULSs
vault write pki/config/urls \
     issuing_certificates="$VAULT_ADDR/v1/pki/ca" \
     crl_distribution_points="$VAULT_ADDR/v1/pki/crl"


Key                        Value
---                        -----
crl_distribution_points    [https://127.0.0.1:8200/v1/pki/crl]
enable_templating          false
issuing_certificates       [https://127.0.0.1:8200/v1/pki/ca]
ocsp_servers               []


## Step 2: Generate intermediate CA

In [9]:
%%bash
# the intermediate CA is expressed a another PKI engine with a separate mount point
vault secrets enable -path=pki_int pki
# the mount is configured with a max_tll
vault secrets tune -max-lease-ttl=43800h pki_int
# Generate Intermediate CA whose CSR is going to be signed by the root CA at pki mount path
vault write -format=json pki_int/intermediate/generate/internal \
     common_name="example.com Intermediate Authority" \
     issuer_name="example-dot-com-intermediate" \
     | jq -r '.data.csr' > pki_intermediate.csr

# Send intermediate CA CSR for signing
vault write -format=json pki/root/sign-intermediate \
     issuer_ref="root-$CERT_NAME" \
     csr=@pki_intermediate.csr \
     format=pem_bundle ttl="43800h" \
     | jq -r '.data.certificate' > ${WORKDIR}/intermediate.cert.pem

# Import signed intermediate CA to its correspondant mount point
vault write pki_int/intermediate/set-signed certificate=@${WORKDIR}/intermediate.cert.pem


Success! Enabled the pki secrets engine at: pki_int/
Success! Tuned the secrets engine at: pki_int/



  * This mount hasn't configured any authority information access (AIA)
  fields; this may make it harder for systems to find missing certificates
  in the chain or to validate revocation status of certificates. Consider
  updating /config/urls or the newly generated issuer with this information.



Key                 Value
---                 -----
imported_issuers    [887d8c8c-e937-4ec0-b269-bb430d423dcc 4eb63b11-86b6-383a-75f1-78d5edb91852]
imported_keys       <nil>
mapping             map[4eb63b11-86b6-383a-75f1-78d5edb91852: 887d8c8c-e937-4ec0-b269-bb430d423dcc:80c04a81-4fa9-0d33-72a2-67ceb66ac127]


## Step 3: Create role -> https://developer.hashicorp.com/vault/tutorials/secrets-management/pki-engine#step-3-create-a-role

In [10]:
%%bash
# Create role that allow certificates to be signed for domain example.com, internal.com, internal.domain
vault write pki_int/roles/example-dot-com \
     issuer_ref="$(vault read -field=default pki_int/config/issuers)" \
     allowed_domains="example.com" \
     allow_subdomains=true \
     allow_glob_domains=true \
     max_ttl="720h"

Key                                   Value
---                                   -----
allow_any_name                        false
allow_bare_domains                    false
allow_glob_domains                    true
allow_ip_sans                         true
allow_localhost                       true
allow_subdomains                      true
allow_token_displayname               false
allow_wildcard_certificates           true
allowed_domains                       [example.com]
allowed_domains_template              false
allowed_other_sans                    []
allowed_serial_numbers                []
allowed_uri_sans                      []
allowed_uri_sans_template             false
allowed_user_ids                      []
basic_constraints_valid_for_non_ca    false
client_flag                           true
cn_validations                        [email hostname]
code_signing_flag                     false
country                               []
email_protection_flag             

## Step 4: Requests certificates

In [11]:
%%bash
#Generate Certificates
#Using Vault CLI
vault write pki_int/issue/example-dot-com common_name="test1.example.com" ttl="24h"

Key                 Value
---                 -----
ca_chain            [-----BEGIN CERTIFICATE-----
MIIDqDCCApCgAwIBAgIUHVk2g/PbhQOnprMh38rE8FT7gdUwDQYJKoZIhvcNAQEL
BQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5jb20wHhcNMjMwNTEwMTY0ODMzWhcNMjgw
NTA4MTY0OTAzWjAtMSswKQYDVQQDEyJleGFtcGxlLmNvbSBJbnRlcm1lZGlhdGUg
QXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0Sas5AIY
YawXGSpqF4/bg9v5EsKzdV1gHjtrlNWTSBrcEZW4EVsvXN6eDjOLQHA2kcrnLcRa
9i7qv08aTWg5M6efqa/69UFqQLmMYCtcmXvSrsDRLqZiH1yYg+DKQguQrNPraewu
AMNlH6aI1pB0bbTOQBN0GuhNOhNWupRGDCqUBaHpvXM/jD1ymyXgGMyGyNDMXhgk
UmKY2LUF+4TJ2nTKug/6eYjfrOY+mwiNlCNr53muaT9veMIJq4TUHWkF4h74nBJR
wIDtajbXhtdb7iCZgk7Er2JT2SSIOXSe7iQcMsqxdBPVklGI51mb6NSCYX/L8z8k
TV2UORMkH+IaSQIDAQABo4HWMIHTMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E
BTADAQH/MB0GA1UdDgQWBBSxLz2ZuSIBKJvyr5aOYciiTBGTZzAfBgNVHSMEGDAW
gBQ3Ob/hbe9gD/bYwfb/FlNxOTcXyTA8BggrBgEFBQcBAQQwMC4wLAYIKwYBBQUH
MAKGIGh0dHBzOi8vMTI3LjAuMC4xOjgyMDAvdjEvcGtpL2NhMDIGA1UdHwQrMCkw
J6AloCOGIWh0dHBzOi8vMTI3LjAuMC4xOjgyMDAvdjEvcGtpL2NybD

In [12]:
%%bash
# Using CURL
# See https://developer.hashicorp.com/vault/api-docs/secret/pki#generate-certificate-and-key
# Example with SANs
curl -k --header "X-Vault-Token: $VAULT_TOKEN" \
    --request POST \
    --data '{"common_name": "test2222.example.com", "ttl": "24h"}' \
    $VAULT_ADDR/v1/pki_int/issue/example-dot-com | jq

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  7270    0  7217  100    53   7913     58 --:--:-- --:--:-- --:--:--  7989


{
  "request_id": "6d71c91c-d008-2069-8a1c-55c86132cb36",
  "lease_id": "",
  "renewable": false,
  "lease_duration": 0,
  "data": {
    "ca_chain": [
      "-----BEGIN CERTIFICATE-----\nMIIDqDCCApCgAwIBAgIUHVk2g/PbhQOnprMh38rE8FT7gdUwDQYJKoZIhvcNAQEL\nBQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5jb20wHhcNMjMwNTEwMTY0ODMzWhcNMjgw\nNTA4MTY0OTAzWjAtMSswKQYDVQQDEyJleGFtcGxlLmNvbSBJbnRlcm1lZGlhdGUg\nQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0Sas5AIY\nYawXGSpqF4/bg9v5EsKzdV1gHjtrlNWTSBrcEZW4EVsvXN6eDjOLQHA2kcrnLcRa\n9i7qv08aTWg5M6efqa/69UFqQLmMYCtcmXvSrsDRLqZiH1yYg+DKQguQrNPraewu\nAMNlH6aI1pB0bbTOQBN0GuhNOhNWupRGDCqUBaHpvXM/jD1ymyXgGMyGyNDMXhgk\nUmKY2LUF+4TJ2nTKug/6eYjfrOY+mwiNlCNr53muaT9veMIJq4TUHWkF4h74nBJR\nwIDtajbXhtdb7iCZgk7Er2JT2SSIOXSe7iQcMsqxdBPVklGI51mb6NSCYX/L8z8k\nTV2UORMkH+IaSQIDAQABo4HWMIHTMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E\nBTADAQH/MB0GA1UdDgQWBBSxLz2ZuSIBKJvyr5aOYciiTBGTZzAfBgNVHSMEGDAW\ngBQ3Ob/hbe9gD/bYwfb/FlNxOTcXyTA8BggrBgEFBQcBAQQwMC4wLAYIKwYBBQUH\nMAKGIGh0dHBzOi8vMTI3L

# Examples

In [13]:
%%bash
export CERT_NAME=san.example.com

# Using CURL
curl -k --header "X-Vault-Token: $VAULT_TOKEN" \
    --request POST \
    --data '{"common_name": "'"$CERT_NAME"'", "ttl": "24h"}' \
    $VAULT_ADDR/v1/pki_int/issue/example-dot-com > ${WORKDIR}/mycert.json

cat ${WORKDIR}/mycert.json | jq -r .data.certificate > ${WORKDIR}/mycert_leaf.pem
cat ${WORKDIR}/mycert.json | jq -r .data.private_key > ${WORKDIR}/mycert_key.pem

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  7249    0  7201  100    48   8665     57 --:--:-- --:--:-- --:--:--  8744


In [16]:
%%bash
cat ${WORKDIR}/mycert_leaf.pem
openssl x509 -in  ${WORKDIR}/mycert_leaf.pem -text -noout

-----BEGIN CERTIFICATE-----
MIIDZDCCAkygAwIBAgIUW6+VxRW2lmyl5ZQsySA28IPrpeowDQYJKoZIhvcNAQEL
BQAwLTErMCkGA1UEAxMiZXhhbXBsZS5jb20gSW50ZXJtZWRpYXRlIEF1dGhvcml0
eTAeFw0yMzA0MjUxMDEwMzdaFw0yMzA0MjYxMDExMDdaMBoxGDAWBgNVBAMTD3Nh
bi5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALAZ
lOHD7g+JJuBuGDuAnO6pijpVksN4IWy2Z950xAag9AOSPWMXZWFX9kHJV8jcqsiL
CbTS4rEB0+84PiqrQ6bufQgFBRGcjgv7IPh69efhSrFeuUwCqyJl7lC0FJoZRq8L
SXxiLNsfpzBX/XLg9C3t5E5vTYzj98kzQr+Z3UuAPqvBAAIR7aiAMy5F5rB5kuq6
aBWbexAzDlaG3hmPlT2nuSkqSdjdaqYKzcAwd3vA3CPyc4+gaJnn502nXBbHyzGY
LGY4D0H9j8BmfdDKAxA3FgUBcvH+JNsU5uRnY6e0zMHrdIVOpnrm81WUqAffce/s
VyCM2ahD5BCxwHWcGJ0CAwEAAaOBjjCBizAOBgNVHQ8BAf8EBAMCA6gwHQYDVR0l
BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBTXO2aJIZLreJcbXnaO
vr5EhNuGqjAfBgNVHSMEGDAWgBQwg8z8BCkjhn4vYbHoGhPl2XupxjAaBgNVHREE
EzARgg9zYW4uZXhhbXBsZS5jb20wDQYJKoZIhvcNAQELBQADggEBACHAmudIJhLi
pZFzSWbJpUFPpoeLcrh1hPb0ffu7xephyS/UsfV3aJ5VxOx2x4RB9md0+f26VkSo
4b6/0QfhoDsQValzrOu3akAMGBQ8es/AD2MsvTeWrULGrwQqocly4/ysOyp9NJ

In [17]:
%%bash
# cat ${WORKDIR}/mycert_key.pem
openssl rsa -in ${WORKDIR}/mycert_key.pem -check

writing RSA key


RSA key ok
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAsBmU4cPuD4km4G4YO4Cc7qmKOlWSw3ghbLZn3nTEBqD0A5I9
YxdlYVf2QclXyNyqyIsJtNLisQHT7zg+KqtDpu59CAUFEZyOC/sg+Hr15+FKsV65
TAKrImXuULQUmhlGrwtJfGIs2x+nMFf9cuD0Le3kTm9NjOP3yTNCv5ndS4A+q8EA
AhHtqIAzLkXmsHmS6rpoFZt7EDMOVobeGY+VPae5KSpJ2N1qpgrNwDB3e8DcI/Jz
j6BomefnTadcFsfLMZgsZjgPQf2PwGZ90MoDEDcWBQFy8f4k2xTm5Gdjp7TMwet0
hU6meubzVZSoB99x7+xXIIzZqEPkELHAdZwYnQIDAQABAoIBAQCne40Hs4qkp/Kb
nNnbLZUTv5dBp8Vvtr9DX7Al+LO/AjFRfDJ6HfRDwp7pLo8Y8BZVqTbQDYmgg3aH
m9w0RLKQ/11W1T9e4qCOcIeJC5j4smKRkt90lU0h6APiKYM2lDePn5KCg/TZap9d
8TGRorVZQVnT5zPAfchaSTCAfdvkQzye2F6qX87NbLv0qNCsFBW5bZC53YptGIAO
ZJV1zqMLMzC34Lgi13qv1qyAyFaM9Zridp/WtrnTHDKutSdnhxFCgBhuJqgvq9n/
w2qgJrA2+5oBe1woJB1ZMCogcLJ712eUbHVJHkwo0lBi+LNcZPx59qZYTjNJz4rA
ibYL449ZAoGBAMD3IelM+jEtTWwdRekB7bh23+awxdLWmuQIwpE9lSKwa929m2sk
svUyOElXvabXjhWViHE4w8w2du0s+44uGm67ydPBsZJYYI+W5ikL4VawJNdYTkt6
KE9IAGKHMCbFW/wc7qAFw3Qozf9kD0QItbxUiFNotgvk+LaGwQVv+C8XAoGBAOmg
EKmHCooIKqXf7rol5cjmh1fB+dcRmmlHi8DYHf7i3gy1xM4

# Test

In [23]:
%%bash
export CERT_NAME="test107.example.com"


#Using CURL
curl -k --header "X-Vault-Token: $VAULT_TOKEN" \
    --request POST \
    --data '{"common_name": "'"$CERT_NAME"'", "ttl": "24h"}' \
    $VAULT_ADDR/v1/pki_int/issue/example-dot-com > ${WORKDIR}/mycert.json

cat ${WORKDIR}/mycert.json | jq -r .data.certificate > ${WORKDIR}/mycert_leaf.pem
cat ${WORKDIR}/mycert.json | jq -r .data.private_key > ${WORKDIR}/mycert_key.pem
openssl x509 -in  ${WORKDIR}/mycert_leaf.pem -text -noout

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  7269    0  7217  100    52  80412    579 --:--:-- --:--:-- --:--:-- 84523


Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            75:75:e1:ac:d7:0c:c7:3c:8e:f2:5b:68:cd:cf:0c:d4:82:5c:0d:bd
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=example.com Intermediate Authority
        Validity
            Not Before: Apr 21 12:52:13 2023 GMT
            Not After : Apr 22 12:52:43 2023 GMT
        Subject: CN=test107.example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:bf:d1:70:82:cf:d3:7a:c7:b5:52:c2:dd:60:8a:
                    16:b0:8a:06:9a:48:7c:55:1f:6f:79:75:19:d6:e5:
                    18:ca:b2:f5:25:27:42:45:04:d3:5d:32:59:13:41:
                    92:ff:d8:b0:d2:83:22:9e:b7:5f:8f:8b:0e:dc:da:
                    62:b6:a4:6a:19:40:ff:b8:4b:98:b1:6d:51:17:54:
                    6d:cd:76:33:12:8e:40:9f:cd:b6:9c:f3:17:4b:5a:
                    d6:61:d4:d8:76:d8:03:97:52:56:a5:6

## Read Certificates

In [24]:
%%bash
# List Certificates

curl -k \
    --header "X-Vault-Token: $VAULT_TOKEN" \
    --request LIST \
    $VAULT_ADDR/v1/pki_int/certs | jq -r .data.keys

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   416  100   416    0     0  10874      0 --:--:-- --:--:-- --:--:-- 13000


[
  "0f:14:ae:0b:54:dd:fe:97:46:8e:b5:a3:60:82:f5:a4:65:b0:4e:f7",
  "22:99:eb:c2:30:20:83:a1:36:1a:e7:b2:9e:b0:9e:d9:0f:d5:91:55",
  "25:c9:d6:cd:28:ac:e7:50:0d:e3:19:5a:9b:3d:51:55:76:bd:ea:f1",
  "75:75:e1:ac:d7:0c:c7:3c:8e:f2:5b:68:cd:cf:0c:d4:82:5c:0d:bd"
]


In [27]:
%%bash
export SERIAL=$(curl -k \
                    --header "X-Vault-Token: $VAULT_TOKEN" \
                    --request LIST \
                    $VAULT_ADDR/v1/pki_int/certs | jq -r .data.keys[0])
    
# Read Details about a certificate based on serial number
curl -k \
    --header "X-Vault-Token: $VAULT_TOKEN" \
    --request GET \
    $VAULT_ADDR/v1/pki_int/cert/$SERIAL | jq -r .data.certificate > ${WORKDIR}/temp.pem
    
openssl x509 -in  ${WORKDIR}/temp.pem -text -noout | grep "Subject:"

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   416  100   416    0     0  18773      0 --:--:-- --:--:-- --:--:-- 23111
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1493  100  1493    0     0  62831      0 --:--:-- --:--:-- --:--:-- 74650


        Subject: CN=test2222.example.com


In [30]:
%%bash
# Revoke certificate based on serial number
export SERIAL=$(curl -k\
                    --header "X-Vault-Token: $VAULT_TOKEN" \
                    --request LIST \
                    $VAULT_ADDR/v1/pki_int/certs | jq -r .data.keys[1])
    
curl -k  --header "X-Vault-Token: $VAULT_TOKEN" \
    --request POST \
    --data '{"serial_number": "'"$SERIAL"'"}' \
    $VAULT_ADDR/v1/pki_int/revoke | jq

    

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   416  100   416    0     0  15883      0 --:--:-- --:--:-- --:--:-- 18086
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   345  100   265  100    80   4767   1439 --:--:-- --:--:-- --:--:--  6764


{
  "request_id": "3d58a68a-f753-4d0a-2ecb-bc9bb8e96b06",
  "lease_id": "",
  "renewable": false,
  "lease_duration": 0,
  "data": {
    "revocation_time": 1682081781,
    "revocation_time_rfc3339": "2023-04-21T12:56:21.118388377Z",
    "state": "revoked"
  },
  "wrap_info": null,
  "auth": null
}


In [31]:
%%bash
export SERIAL2=$(curl -k \
                    --header "X-Vault-Token: $VAULT_TOKEN" \
                    --request LIST \
                    $VAULT_ADDR/v1/pki_int/certs | jq -r .data.keys[1])
vault write pki_int/revoke \
    serial_number=$SERIAL2



  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   416  100   416    0     0  20041      0 --:--:-- --:--:-- --:--:-- 26000


Key                        Value
---                        -----
revocation_time            1682081781
revocation_time_rfc3339    2023-04-21T12:56:21.118388377Z
state                      revoked


In [32]:
%%bash
vault write pki_int/tidy tidy_cert_store=true tidy_revoked_certs=true


  * Tidy operation successfully started. Any information from the operation
  will be printed to Vault's server logs.

