This project contains a setup of Vault as a Certificate Authority. It utilizes Keybase to safely store the Vault Unseal Keys and the Vault Initial Root Token. jq is used to interpret json on the cli.
brew cask install keybase
brew install vault jq
vault -autocomplete-install && exec $SHELL
Then ensure you create your useraccount and have keybase started. It will allow access to the encrypted Keybase volumes where we will store this secret information. The init script will need your keybase username.
docker-compose up -d
docker-compose logs -f
To initialize the Vault the init.sh
script utilizes keybase to safely store the initial cluster setup secrets like the unseal keys and the root token. This script utilizes this to automate the setup as well to store these details in a safe manner for later use.
Now you can initialize vault, by running init.sh
, providing our keybase username.
./init.sh marcofranssen
To issue a new certificate you can use the issue-cert.sh
script. This will create 2 files in the current folder.
- your.domain.tld.crt
- your.domain.tld.key
./issue-cert.sh marcofranssen marco.philips.dev
To validate if your certificate is valid you can use the verify-cert.sh
script which will validate the certificate against the CA Issuer and the CRL (Certificate Revocation List). This allows you to very easily check for revoked certificates.
./verify-cert.sh /Volumes/Keybase/private/marcofranssen/vault/intermediate.cert.pem
./verify-cert.sh marco.philips.dev
On MacOS you can add the certificate in keychain so your browser will accept any of the Vault certificates as trusted certificates.
To do so we will import both the root and intermediate certificate into keychain. Next we will set the root certificate to Always trust.
curl -so certs/ca.pem http://127.0.0.1:8200/v1/pki/ca/pem
curl -so certs/intermediate.pem http://127.0.0.1:8200/v1/pki_int/ca/pem
sudo security add-trusted-cert -k /Library/Keychains/System.keychain certs/ca.pem
sudo security add-trusted-cert -k /Library/Keychains/System.keychain -r unspecified certs/intermediate.pem