admin/NewSmoop
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

added mtls for device endpoints

Browse Source
This commit is contained in:
tdv
2025-10-03 13:22:47 +03:00
parent af252c4498
commit 269b098f0d
3 changed files with 133 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
readme.md
View File

@@ -74,13 +74,16 @@ vault write pki_iot/config/urls \
# Role that limits cert subjects to your device GUIDs
vault write pki_iot/roles/device \
allow_any_name=false \
allow_any_name=true \
allowed_uri_sans="urn:device:*" \
allowed_other_sans="" \
require_cn=false \
cn_validations= \
allow_ip_sans=false \
allowed_domains="" \
enforce_hostnames=false \
key_type=ec key_bits=256 \
key_type=ec \
key_bits=256 \
max_ttl=720h ttl=720h # 30 days
```
@@ -107,3 +110,16 @@ curl -fsSL https://vault.example.local/v1/pki_iot/crl -o /etc/nginx/iot.crl
nginx -s reload
```
- Automate via systemd timer/cron (e.g., every 1015 min).
- Nginx fix for DER CRL format
```bash
# sed -i 's/\r$//' ./nginx/nginx_ssl/int_iot.crl
curl http://vault.local:8200/v1/pki_iot/crl -o nginx/nginx_ssl/int_iot.crl
openssl crl -in ./nginx/nginx_ssl/int_iot.crl -out ./nginx/nginx_ssl/int_iot.crl.clean -outform PEM
mv ./nginx/nginx_ssl/int_iot.crl.clean ./nginx/nginx_ssl/int_iot.crl
curl http://vault.local:8200/v1/pki_root/crl -o nginx/nginx_ssl/root_iot.crl
openssl crl -in ./nginx/nginx_ssl/root_iot.crl -out ./nginx/nginx_ssl/root_iot.crl.clean -outform PEM
mv ./nginx/nginx_ssl/root_iot.crl.clean ./nginx/nginx_ssl/root_iot.crl
(sed 's/\r$//' ./nginx/nginx_ssl/int_iot.crl; echo; sed 's/\r$//' ./nginx/nginx_ssl/root_iot.crl; echo) \
> ./nginx/nginx_ssl/iot.crl
```