vault secrets enable \ -path=pki_root_ca \ -description="PKI Root CA" \ -max-lease-ttl="262800h" \ pki
vault write -format=json pki_root_ca/root/generate/internal \ common_name="Root Certificate Authority" \ country="Российская Федерация" \ locality="Владивосток" \ organization="DNS Технологии" \ ou="IT" \ ttl="262800h" > pki-root-ca.json
cat pki-root-ca.json | jq -r .data.certificate > rootCA.pem
vault write pki_root_ca/config/urls \ issuing_certificates="https://adm-ws-vault.dns-shop.ru/v1/pki_root_ca/ca" \ crl_distribution_points="https://adm-ws-vault.dns-shop.ru/v1/pki_root_ca/crl"
vault secrets enable \ -path=pki_ca_adm \ -description="PKI Intermediate CA ADM cluster" \ -max-lease-ttl="175200h" \ pki
vault write -format=json pki_ca_adm/intermediate/generate/internal \ common_name="Intermediate CA ADM cluster" \ country="Российская Федерация" \ locality="Владивосток" \ organization="DNS Технологии" \ ou="IT" \ ttl="175200h" | jq -r '.data.csr' > pki_ca_adm.csr
vault write -format=json pki_root_ca/root/sign-intermediate csr=@pki_ca_adm.csr \ country="Российская Федерация" \ locality="Владивосток" \ organization="DNS Технологии" \ ou="IT" \ format=pem_bundle \ ttl="175200h" | jq -r '.data.certificate' > admCA.cert.pem
vault write pki_ca_adm/intermediate/set-signed \ [email protected]
vault write pki_ca_adm/config/urls \ issuing_certificates="https://adm-ws-vault.dns-shop.ru/v1/pki_ca_adm/ca" \ crl_distribution_points="https://adm-ws-vault.dns-shop.ru/v1/pki_ca_adm/crl"
vault write pki_ca_adm/roles/psql \ country="Российская Федерация" \ locality="Владивосток" \ organization="DNS Технологии" \ ou="IT" \ allowed_domains="dns-shop.ru" \ allow_subdomains=true \ max_ttl="87600h" \ key_bits="2048" \ key_type="rsa" \ allow_any_name=true \ allow_bare_domains=false \ allow_glob_domain=false \ allow_ip_sans=false \ allow_localhost=false \ client_flag=true \ server_flag=false \ enforce_hostnames=false \ key_usage="DigitalSignature" \ ext_key_usage="ClientAuth" \ require_cn=true