Vault Kurulumu

#hashicorp #vault #linux #secretmanagement

1)AD den Sertifika Çıkarma

Sertifika çıkartmak için AD yi kullanacağım. AD den sertifika çıkarırken dikkat edilmesi gereken noktalardan biri bu web arayüzüne erişecek ortamların truststore una AD nin root/CA sertifikasını da eklemem gerekiyor.

run > certlm.msc > Personal > All Tasks > Request New Certificate > Web Server Template

Subject > Subject Name > Common Name : vault.alanadı
Subject > Subject Name > Common Name : vault
Subject > Alternative Name > DNS : vault.alanadı
Subject > Alternative Name > IP(v4) : serverIP
Private Key > Key Options > Make Private Key Exportable

2)/opt/vault dizinini ayrı bir yere alma

Vault belgelerinde /opt/vault dizinin root bölümden ayrı tutulması öneriliyor.

mkdir -vp /opt/vault/data /etc/vault.d
vim /lib/systemd/system/vault.service
vim /etc/vault.d/vault.hcl
unzip vault_1.20.4_linux_amd64.zip
mv vault /usr/bin/ -v
chown -Rv root: /usr/bin/vault
sudo setcap cap_ipc_lock=+ep $(readlink -f $(which vault))


sudo useradd --system --home /opt/vault/data --shell /sbin/nologin vault

sudo chown -Rv vault: /opt/vault/data && sudo chmod -Rv 750 /opt/vault/data
sudo chown -Rv vault: /etc/vault.d/vault.hcl && sudo chmod -Rv 640 /etc/vault.d/vault.hcl

sudo mkdir /etc/certs


PFXFile="vault.pfx"



#We can extract the private key form a PFX to a PEM file with this command:
openssl pkcs12 -in $PFXFile -nocerts -out key.pem

#Exporting the certificate only:
openssl pkcs12 -in $PFXFile -clcerts -nokeys -out cert.pem

#Removing the password from the extracted private key:
openssl rsa -in key.pem -out server.key 


sudo setfacl -R -m vault:rwx /etc/certs

sudo -u vault /usr/bin/vault server -config=/etc/vault.d/vault.hcl