Generate root CA key/cert
vault write pki/root/generate/exported \
common_name=myca \
key_type=ec \
key_bits=256
Configure certificate issuing and CRL (Certificate Revocation List) endpoints
vault write pki/config/urls \
issuing_certificates="https://VAULT_ADDR:8200/v1/pki/ca" \
crl_distribution_points="https://VAULT_ADDR:8200/v1/pki/crl"
Create a PKI role against which a certificate will be issued
vault write pki/roles/gameserver \
max_ttl=24h \
allow_any_name=true \
key_type=ec \
key_bits=256
Setup a policy to grant ceritificate issue capabilities to the role
vault policy write server-policy policy.hcl
# file: policy.hcl
# Allow tokens to look up their own properties
path "auth/token/lookup-self" {
capabilities = ["read"]
}
# Allow tokens to renew themselves
path "auth/token/renew-self" {
capabilities = ["update"]
}
# Allow tokens to revoke themselves
path "auth/token/revoke-self" {
capabilities = ["update"]
}
path "pki/*" {
capabilities = [ "create", "read", "update" ]
}
Setup a GCP auth role. Vault Agent running on GCE instances will authenticate with this role and will be bound by the policies defined in server-policy
vault write auth/gcp/role/server \
type="gce" \
policies="server-policy" \
bound_projects="MYGCPPROJECT"
Configure Vault Agent to authenticate into Vault via GCP auth method
# file: config.hcl
pid_file = "./pidfile"
vault {
address = "https://VAULT_ADDR:8200"
namespace = "VAULT_NAMESPACE"
}
auto_auth {
method {
type = "gcp"
config = {
type = "gce"
role = "server"
}
}
sink {
type = "file"
config = {
path = "/tmp/sink"
}
}
}
template {
source = "cert.tpl"
destination = "cert.pem"
}
template {
source = "key.tpl"
destination = "key.pem"
}
template {
source = "ca_cert.tpl"
destination = "ca_cert.pem"
}
vault agent -config=config.hcl
Checking revoked certificates
curl https://VAULT_ADDR:8200/v1/pki/crl/pem \
-H 'X-Vault-Namespace: VAULT_NAMESPACE' | openssl crl -noout -text