Skip to content

philips-labs/vault-ca

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

18 Commits

.github

.github

 
 

.vscode

.vscode

 
 

policies

policies

 
 

volumes/config

volumes/config

 
 

.editorconfig

.editorconfig

 
 

.gitignore

.gitignore

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

docker-compose.yml

docker-compose.yml

 
 

functions.sh

functions.sh

 
 

init.sh

init.sh

 
 

issue-cert.sh

issue-cert.sh

 
 

unseal.sh

unseal.sh

 
 

verify-cert.sh

verify-cert.sh

 
 

Repository files navigation

Vault Certificate Authority

This project contains a setup of Vault as a Certificate Authority. It utilizes Keybase to safely store the Vault Unseal Keys and the Vault Initial Root Token. jq is used to interpret json on the cli.

Prerequisites

MacOS

brew cask install keybase
brew install vault jq
vault -autocomplete-install && exec $SHELL

Then ensure you create your useraccount and have keybase started. It will allow access to the encrypted Keybase volumes where we will store this secret information. The init script will need your keybase username.

Run Vault Server using docker-compose

docker-compose up -d
docker-compose logs -f

Initializing the Vault

To initialize the Vault the init.sh script utilizes keybase to safely store the initial cluster setup secrets like the unseal keys and the root token. This script utilizes this to automate the setup as well to store these details in a safe manner for later use.

Now you can initialize vault, by running init.sh, providing our keybase username.

./init.sh marcofranssen

Issue certificates

To issue a new certificate you can use the issue-cert.sh script. This will create 2 files in the current folder.

  • your.domain.tld.crt
  • your.domain.tld.key
./issue-cert.sh marcofranssen marco.philips.dev

Verify certificates

To validate if your certificate is valid you can use the verify-cert.sh script which will validate the certificate against the CA Issuer and the CRL (Certificate Revocation List). This allows you to very easily check for revoked certificates.

./verify-cert.sh /Volumes/Keybase/private/marcofranssen/vault/intermediate.cert.pem
./verify-cert.sh marco.philips.dev

Trust certificates

Import certificates in keychain on MacOS

On MacOS you can add the certificate in keychain so your browser will accept any of the Vault certificates as trusted certificates.

To do so we will import both the root and intermediate certificate into keychain. Next we will set the root certificate to Always trust.

curl -so certs/ca.pem http://127.0.0.1:8200/v1/pki/ca/pem
curl -so certs/intermediate.pem http://127.0.0.1:8200/v1/pki_int/ca/pem
sudo security add-trusted-cert -k /Library/Keychains/System.keychain certs/ca.pem
sudo security add-trusted-cert -k /Library/Keychains/System.keychain -r unspecified certs/intermediate.pem

References

About

Setup of Vault as a CA for experimentation purposes

Topics

vault pki certificate-authority

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

1 star

Watchers

3 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages