A salt module for SSL/TLS. Can create a Certificate Authority (CA) or use Self-Signed certificates.
depends: |
|
---|---|
configuration: | Add the following values in /etc/salt/minion for the CA module to function properly: ca.cert_base_path: '/etc/pki'
|
Verify whether a Certificate Authority (CA) already exists
CLI Example:
salt '*' tls.ca_exists test_ca /etc/certs
Return the base path for certs from CLI or from options
CLI Example:
salt '*' tls.cert_base_path
Create a Certificate Authority (CA)
Writes out a CA certificate based upon defined config values. If the file already exists, the function just returns assuming the CA certificate already exists.
If the following values were set:
ca.cert_base_path='/etc/pki'
ca_name='koji'
the resulting CA, and corresponding key, would be written in the following location:
/etc/pki/koji/koji_ca_cert.crt
/etc/pki/koji/koji_ca_cert.key
CLI Example:
salt '*' tls.create_ca test_ca
Create a Certificate (CERT) signed by a named Certificate Authority (CA)
If the certificate file already exists, the function just returns assuming the CERT already exists.
The CN must match an existing CSR generated by create_csr. If it does not, this method does nothing.
If the following values were set:
ca.cert_base_path='/etc/pki'
ca_name='koji'
CN='test.egavas.org'
the resulting signed certificate would be written in the following location:
/etc/pki/koji/certs/test.egavas.org.crt
CLI Example:
salt '*' tls.create_ca_signed_cert test localhost
Create a Certificate Signing Request (CSR) for a particular Certificate Authority (CA)
Writes out a Certificate Signing Request (CSR) If the file already exists, the function just returns assuming the CSR already exists.
If the following values were set:
ca.cert_base_path='/etc/pki'
ca_name='koji'
CN='test.egavas.org'
the resulting CSR, and corresponding key, would be written in the following location:
/etc/pki/koji/certs/test.egavas.org.csr
/etc/pki/koji/certs/test.egavas.org.key
CLI Example:
salt '*' tls.create_csr test
Create a PKCS#12 browser certificate for a particular Certificate (CN)
If the following values were set:
ca.cert_base_path='/etc/pki'
ca_name='koji'
CN='test.egavas.org'
the resulting signed certificate would be written in the following location:
/etc/pki/koji/certs/test.egavas.org.p12
CLI Example:
salt '*' tls.create_pkcs12 test localhost
Create a Self-Signed Certificate (CERT)
Writes out a Self-Signed Certificate (CERT). If the file already exists, the function just returns.
If the following values were set:
ca.cert_base_path='/etc/pki'
tls_dir='koji'
CN='test.egavas.org'
the resulting CERT, and corresponding key, would be written in the following location:
/etc/pki/koji/certs/test.egavas.org.crt
/etc/pki/koji/certs/test.egavas.org.key
CLI Example:
salt '*' tls.create_self_signed_cert
Passing options from the command line:
salt 'minion' tls.create_self_signed_cert CN='test.mysite.org'
Get the certificate path or content
CLI Example:
salt '*' tls.get_ca test_ca as_text=False cacert_path=/etc/certs
Check that the X509 version is correct (was incorrectly set in previous salt versions). This will fix the version if needed.
CLI Example:
salt '*' tls.maybe_fix_ssl_version test_ca /etc/certs
If wanted, store the aforementioned cacert_path in context to be used as the basepath for further operations
CLI Example:
salt '*' tls.set_ca_path /etc/certs
Docs for previous releases are available on salt.rtfd.org.
Latest Salt release: 2014.1.13
Try the shiny new release candidate of Salt, v2014.7.0rc6! More info here.
22.16.208. salt.modules.timezone
22.16.210. salt.modules.tomcat
Upcoming SaltStack events, webinars and local meet ups and user groups.