added mtls for device endpoints
This commit is contained in:
20
readme.md
20
readme.md
@@ -74,13 +74,16 @@ vault write pki_iot/config/urls \
|
||||
|
||||
# Role that limits cert subjects to your device GUIDs
|
||||
vault write pki_iot/roles/device \
|
||||
allow_any_name=false \
|
||||
allow_any_name=true \
|
||||
allowed_uri_sans="urn:device:*" \
|
||||
allowed_other_sans="" \
|
||||
require_cn=false \
|
||||
cn_validations= \
|
||||
allow_ip_sans=false \
|
||||
allowed_domains="" \
|
||||
enforce_hostnames=false \
|
||||
key_type=ec key_bits=256 \
|
||||
key_type=ec \
|
||||
key_bits=256 \
|
||||
max_ttl=720h ttl=720h # 30 days
|
||||
```
|
||||
|
||||
@@ -107,3 +110,16 @@ curl -fsSL https://vault.example.local/v1/pki_iot/crl -o /etc/nginx/iot.crl
|
||||
nginx -s reload
|
||||
```
|
||||
- Automate via systemd timer/cron (e.g., every 10–15 min).
|
||||
|
||||
- Nginx fix for DER CRL format
|
||||
```bash
|
||||
# sed -i 's/\r$//' ./nginx/nginx_ssl/int_iot.crl
|
||||
curl http://vault.local:8200/v1/pki_iot/crl -o nginx/nginx_ssl/int_iot.crl
|
||||
openssl crl -in ./nginx/nginx_ssl/int_iot.crl -out ./nginx/nginx_ssl/int_iot.crl.clean -outform PEM
|
||||
mv ./nginx/nginx_ssl/int_iot.crl.clean ./nginx/nginx_ssl/int_iot.crl
|
||||
curl http://vault.local:8200/v1/pki_root/crl -o nginx/nginx_ssl/root_iot.crl
|
||||
openssl crl -in ./nginx/nginx_ssl/root_iot.crl -out ./nginx/nginx_ssl/root_iot.crl.clean -outform PEM
|
||||
mv ./nginx/nginx_ssl/root_iot.crl.clean ./nginx/nginx_ssl/root_iot.crl
|
||||
(sed 's/\r$//' ./nginx/nginx_ssl/int_iot.crl; echo; sed 's/\r$//' ./nginx/nginx_ssl/root_iot.crl; echo) \
|
||||
> ./nginx/nginx_ssl/iot.crl
|
||||
```
|
||||
Reference in New Issue
Block a user