Vault private PKI#
Goals#
Create a PKI engine for Vault-signed certificate creation.
Make hosts trust the PKI root certificate ancestor.
Delegate to a host the capability to issue cetificates.
Prerequisites#
Follow the Install Vault tutorial.
Name your PKI engine. (‘alpha’ in our code sample).
Choose the domain managed. (‘alpha.internal’ in our code sample).
Steps#
ansible-playbook wescale.hashistack.vault_pki_bootstrap \
-e hs_vault_pki_name=alpha \
-e hs_vault_pki_domain=alpha.internal
ansible-playbook wescale.hashistack.vault_pki_trust \
-e hs_vault_pki_name=alpha \
-e scope=<group_form_inventory>
ansible-playbook wescale.hashistack.vault_pki_enroll \
-e hs_vault_pki_name=alpha \
-e scope=epic-sre
From the target host, as root, you now can run:
ssh -F ssh.cfg epic-sre
ansible-refresh-alpha-cert -e cert_domain=<any subdomain>.alpha.internal
Achievement Unlocked
You have created a private PKI and made a host capable of issuing certificates.