public async Task SecretPki_SetUpRootCA_CanIssueCertificatesWithAltNames()
{
using (var server = new VaultTestServer())
{
var client = server.TestClient();
var mountPoint = Guid.NewGuid().ToString();
await client.Sys.Mount(mountPoint, new MountInfo { Type = "pki" });
var mountConfig = new MountConfig
{
MaxLeaseTtl = "87600h"
};
await client.Sys.TuneMount(mountPoint, mountConfig);
var rootCaConfig = new RootGenerateRequest
{
CommonName = "Vault Testing Root Certificate Authority",
Ttl = "87600h"
};
await client.Secret.Write($"{mountPoint}/root/generate/internal", rootCaConfig);
var roleName = Guid.NewGuid().ToString();
var role = new RolesRequest
{
AllowAnyDomain = true,
EnforceHostnames = false,
MaxTtl = "1h"
};
await client.Secret.Write($"{mountPoint}/roles/{roleName}", role);
var commonName = Guid.NewGuid().ToString();
var certRequest = new IssueRequest
{
CommonName = commonName,
AltNames = new List <string> {
"example.com", "test.example.com"
},
Format = CertificateFormat.Der
};
var cert =
await
client.Secret.Write <IssueRequest, IssueResponse>($"{mountPoint}/issue/{roleName}",
certRequest);
Assert.NotNull(cert.Data);
Assert.NotNull(cert.Data.Certificate);
Assert.NotNull(cert.Data.PrivateKey);
var x509Cert = new X509Certificate2(Encoding.UTF8.GetBytes(cert.Data.Certificate));
Assert.Equal($"CN={commonName}", x509Cert.SubjectName.Name);
}
}
public async Task SecretPki_SetUpRootCA_CanIssueCertificates()
{
using (var server = new VaultTestServer())
{
var client = server.TestClient();
var mountPoint = Guid.NewGuid().ToString();
await client.Sys.Mount(mountPoint, new MountInfo { Type = "pki" });
var mountConfig = new MountConfig
{
MaxLeaseTtl = "87600h"
};
await client.Sys.TuneMount(mountPoint, mountConfig);
var rootCaConfig = new RootGenerateRequest
{
CommonName = "Vault Testing Root Certificate Authority",
Ttl = "87600h"
};
await client.Secret.Write($"{mountPoint}/root/generate/internal", rootCaConfig);
var roleName = Guid.NewGuid().ToString();
var role = new RolesRequest
{
AllowAnyDomain = true,
EnforceHostnames = false,
MaxTtl = "1h"
};
await client.Secret.Write($"{mountPoint}/roles/{roleName}", role);
var certRequest = new IssueRequest
{
CommonName = "Test Cert"
};
var cert =
await
client.Secret.Write <IssueRequest, IssueResponse>($"{mountPoint}/issue/{roleName}",
certRequest);
Assert.NotNull(cert.Data);
Assert.NotNull(cert.Data.Certificate);
Assert.NotNull(cert.Data.PrivateKey);
}
}
public async Task SecretPki_SetUpRootCA_ReadCaCertificate()
{
using (var server = new VaultTestServer())
{
var client = server.TestClient();
var mountPoint = Guid.NewGuid().ToString();
await client.Sys.Mount(mountPoint, new MountInfo { Type = "pki" });
var mountConfig = new MountConfig
{
MaxLeaseTtl = "87600h"
};
await client.Sys.TuneMount(mountPoint, mountConfig);
var rootCaConfig = new RootGenerateRequest
{
CommonName = "Vault Testing Root Certificate Authority",
Ttl = "87600h"
};
await client.Secret.Write($"{mountPoint}/root/generate/internal", rootCaConfig);
var roleName = Guid.NewGuid().ToString();
var role = new RolesRequest
{
AllowAnyDomain = true,
EnforceHostnames = false,
MaxTtl = "1h"
};
await client.Secret.Write($"{mountPoint}/roles/{roleName}", role);
var caCert = await client.Secret.ReadRaw($"{mountPoint}/ca/pem");
Assert.StartsWith("-----", System.Text.Encoding.Default.GetString(caCert));
}
}
public async Task SecretPki_BuildIntermediateCAChain_CanIssueCertificatesWithChain()
{
using (var server = new VaultTestServer())
{
var client = server.TestClient();
await client.Sys.Mount("pki", new MountInfo { Type = "pki" });
await client.Sys.Mount("pki1", new MountInfo { Type = "pki" });
await client.Sys.Mount("pki2", new MountInfo { Type = "pki" });
await client.Sys.Mount("pki3", new MountInfo { Type = "pki" });
var mountConfig = new MountConfig
{
MaxLeaseTtl = "87600h"
};
await client.Sys.TuneMount("pki", mountConfig);
await client.Sys.TuneMount("pki1", mountConfig);
await client.Sys.TuneMount("pki2", mountConfig);
await client.Sys.TuneMount("pki3", mountConfig);
// Root CA
var rootCaConfig = new RootGenerateRequest
{
CommonName = "Vault Testing Root Certificate Authority",
Ttl = "87600h"
};
await client.Secret.Write($"pki/root/generate/internal", rootCaConfig);
// Intermediate CA
var pki1CaConfig = new IntermediateGenerateRequest
{
CommonName = "Vault Testing Intermediate CA"
};
var pki1Request =
await
client.Secret.Write <IntermediateGenerateRequest, IntermediateGenerateInternalResponse>(
"pki1/intermediate/generate/internal", pki1CaConfig);
var pki1SignRequest = new RootSignIntermediateRequest
{
Csr = pki1Request.Data.Csr,
Format = CertificateFormat.PemBundle,
Ttl = "87500h"
};
var pki1SignResponse =
await
client.Secret.Write <RootSignIntermediateRequest, RootSignIntermediateResponse>(
"pki/root/sign-intermediate", pki1SignRequest);
var pki1SetSigned = new IntermediateSetSignedRequest
{
Certificate = pki1SignResponse.Data.Certificate
};
await client.Secret.Write("pki1/intermediate/set-signed", pki1SetSigned);
// PKI2 - Sub Intermediate CA
var pki2CaConfig = new IntermediateGenerateRequest
{
CommonName = "Vault Testing Sub Intermediate CA"
};
var pki2Request =
await
client.Secret.Write <IntermediateGenerateRequest, IntermediateGenerateInternalResponse>(
"pki2/intermediate/generate/internal", pki2CaConfig);
var pki2SignRequest = new RootSignIntermediateRequest
{
Csr = pki2Request.Data.Csr,
Format = CertificateFormat.PemBundle,
Ttl = "87400h"
};
var pki2SignResponse =
await
client.Secret.Write <RootSignIntermediateRequest, RootSignIntermediateResponse>(
"pki1/root/sign-intermediate", pki2SignRequest);
var pki2SetSigned = new IntermediateSetSignedRequest
{
Certificate = pki2SignResponse.Data.Certificate
};
await client.Secret.Write("pki2/intermediate/set-signed", pki2SetSigned);
var roleName = Guid.NewGuid().ToString();
var role = new RolesRequest
{
AllowAnyDomain = true,
EnforceHostnames = false,
MaxTtl = "1h"
};
await client.Secret.Write($"pki2/roles/{roleName}", role);
var commonName = Guid.NewGuid().ToString();
var certRequest = new IssueRequest
{
CommonName = commonName,
AltNames = new List <string> {
"example.com", "test.example.com"
},
Format = CertificateFormat.Der
};
var cert =
await
client.Secret.Write <IssueRequest, IssueResponse>($"pki2/issue/{roleName}",
certRequest);
Assert.NotNull(cert.Data);
Assert.NotNull(cert.Data.Certificate);
Assert.NotNull(cert.Data.PrivateKey);
Assert.Equal(2, cert.Data.CaChain.Count);
}
}
