Allow updating ca_certificates without salt-pki

linux/system/certificate.sls

@@ -3,19 +3,39 @@
 
 {%- if system.ca_certificates is defined %}
 
-{%- for certificate in system.ca_certificates %}
+linux_system_ca_certificates:
+  pkg.installed:
+    - name: ca-certificates
+{%- if system.ca_certificates is mapping %}
+
+{%- for name, cert in system.ca_certificates.iteritems() %}
+{{ system.ca_certs_dir }}/{{ name }}.crt:
+  file.managed:
+  - contents_pillar: "linux:system:ca_certificates:{{ name }}"
+  - watch_in:
+    - cmd: update_certificates
+  - require:
+    - pkg: linux_system_ca_certificates
+{%- endfor %}
 
+{%- else %}
+{#- salt-pki way #}
+
+{%- for certificate in system.ca_certificates %}
 {{ system.ca_certs_dir }}/{{ certificate }}.crt:
   file.managed:
   - source: salt://pki/{{ certificate }}/{{ certificate }}-chain.cert.pem
   - watch_in:
     - cmd: update_certificates
-
+  - require:
+    - pkg: linux_system_ca_certificates
 {%- endfor %}
 
+{%- endif %}
+
 update_certificates:
   cmd.wait:
-  - name: /usr/sbin/update-ca-certificates
+  - name: update-ca-certificates
 
 {%- endif %}