New version of salt-formula from Saltstack

_pki.conf 1.7KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445
  1. {%- from "salt/map.jinja" import minion with context %}
  2. x509_signing_policies:
  3. {%- for ca_name,ca in minion.ca.items() %}
  4. {%- for signing_policy_name, signing_policy in ca.signing_policy.iteritems() %}
  5. {{ ca_name }}_{{ signing_policy_name }}:
  6. - minions: '{{ signing_policy.minions }}'
  7. - signing_private_key: /etc/pki/ca/{{ ca_name }}/ca.key
  8. - signing_cert: /etc/pki/ca/{{ ca_name }}/ca.crt
  9. {%- if ca.country is defined %}
  10. - C: {{ ca.country }}
  11. {%- endif %}
  12. {%- if ca.state is defined %}
  13. - ST: {{ ca.state }}
  14. {%- endif %}
  15. {%- if ca.locality is defined %}
  16. - L: {{ ca.locality }}
  17. {%- endif %}
  18. {%- if ca.organization is defined %}
  19. - O: {{ ca.organization }}
  20. {%- endif %}
  21. {%- if ca.organization_unit is defined %}
  22. - OU: {{ ca.organization_unit }}
  23. {%- endif %}
  24. {%- if signing_policy.type == 'v3_edge_cert_client' %}
  25. - basicConstraints: "CA:FALSE"
  26. - keyUsage: "critical digitalSignature,nonRepudiation,keyEncipherment"
  27. - extendedKeyUsage: "critical clientAuth"
  28. {%- elif signing_policy.type == 'v3_edge_cert_server' %}
  29. - basicConstraints: "CA:FALSE"
  30. - keyUsage: "critical digitalSignature,nonRepudiation,keyEncipherment"
  31. - extendedKeyUsage: "critical,serverAuth"
  32. {%- elif signing_policy.type == 'v3_intermediate_ca' %}
  33. - basicConstraints: "CA:TRUE"
  34. - keyUsage: "critical cRLSign,keyCertSign"
  35. {%- elif signing_policy.type == 'v3_edge_ca' %}
  36. - basicConstraints: "CA:TRUE,pathlen:0"
  37. - keyUsage: "critical cRLSign,keyCertSign"
  38. {%- endif %}
  39. - subjectKeyIdentifier: hash
  40. - authorityKeyIdentifier: keyid,issuer:always
  41. - days_valid: {{ ca.days_valid.certificate }}
  42. - copypath: /etc/pki/ca/{{ ca_name }}/certs/
  43. {%- endfor %}
  44. {%- endfor %}