The below instructutions assume a Windows 10 Enviorment, with a x86 archtecture, and PowerShell 3.0 or newer.
We assume you dont have an exising vault server running, and you have an Atlas account with an appropriate profile.
To ensure you dont have an existing vault server please run the following powershell command to stop the active vault.
Stop-Process -Name VaultPlease follow Hashicorps instructions for installing the vault: https://www.vaultproject.io/docs/install#precompiled-binaries
New-Item -ItemType "directory" -Name win_pluginInvoke-RestMethod -Uri https://github.com/globalsign/atlas-hashicorp-vault/releases/latest/download/atlas-windows-amd64 -Method Get -OutFile win_plugin/atlas.exeNote: that the URL will change once repository is made public.
vault server -dev -dev-root-token-id=root -dev-plugin-dir=win_pluginFor simplicity we are running in dev mode.
All further instructions will be ran in the new powershell terminal
$env:VAULT_ADDR="http://127.0.0.1:8200"vault statusYou should see:
PS C:\Users\Andre> vault status
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed false
Total Shares 1
Threshold 1
Version 1.6.0
Storage Type inmem
Cluster Name vault-cluster-6dae5f2b
Cluster ID 8f864a9c-31ad-88ef-f156-ff11264009cd
HA Enabled false
vault secrets enable --path=atlas atlas.exeUse the below commands to read and convert your mTLS files. Please replace the paths with the literal path to your cert and keys.
$mtls_cert = [Convert]::ToBase64String([IO.File]::ReadAllBytes("C:\Users\Andre\vtest\my_cert.pem")) $mtls_key = [Convert]::ToBase64String([IO.File]::ReadAllBytes("C:\Users\Andre\vtest\my_key.pem"))Note: Key file should be in PEM format and must be decrypted.
Please run the below but replace vaulues in <> with your own.
vault write atlas/config/authn api_key="<Your_Atlas_API_Key>" api_secret="<Your_Atlas_API_Secret>" api_cert="$mtls_cert" api_cert_key="$mtls_key"vault write atlas/roles/my-role allow_any_name=true enforce_hostnames=falseThis creates a role named "my-role". When users generate certificates against this role, Vault will validate the certificate request against the permissions. Vault will then send the certificate request to be issued by your Atlas instance.
The above role constraints are permissive, we would recommend tighter rules to fit your use case. Note that you atlas account policy will also apply to issued certificates, only certificates that meet both local and atlas policies will be issued,.
vault write atlas/issue/my-role common_name="example.com" ttl=24hThis creates a Private Key and a Certificate using the provided role and certificate configuration. You can reference this certificate in future requests using the serial number returned in the response.
Keep note of your private key, you won't be able to retrieve it in future requests.
Note: The above assumes your atlas account has permissions to issues certificates for example.com
vault list atlas/certsThis returns a list of certificate serial numbers that have been issued through this vault cluster. This can be used for getting more details or revoking certificates.
Note: Please replace 00-00-00-00-... with your certificate serial number
vault read atlas/cert/00-00-00-00-00-00-00-...This will give you the certificate pem and other issuance metadata, you can get the serial number from the certificate itself if
you would like to reverse this, but you must separate hex pairs with -.
Note that you can only get details on certificates issued through this vault cluster, once a certificate is expired or revoked it will remain visible here for a short period of time.
Note: Please replace 00-00-00-00-... with your certificate serial number
vault write atlas/revoke serial_number=00-00-00-00-00-00-00-...Just like Get details this requires a - separated serial number. This will have your atlas account add the certificate to
relevant revocation lists, and update its status within the vault cluster.
If your revoking lots of certificates it's a good idea to invoke tidy, which will clean up excess metadata within vault.
vault write -force atlas/tidy