Sfoglia il codice sorgente

Salt PKI proper x509v3 cert extensions

tags/0.4
Ales Komarek 8 anni fa
parent
commit
9a9abb366b
5 ha cambiato i file con 53 aggiunte e 11 eliminazioni
  1. +19
    -4
      salt/files/_pki.conf
  2. +2
    -2
      salt/minion/ca.sls
  3. +6
    -3
      salt/minion/cert.sls
  4. +13
    -0
      tests/pillar/minion_pki_ca.sls
  5. +13
    -2
      tests/pillar/minion_pki_cert.sls

+ 19
- 4
salt/files/_pki.conf Vedi File

@@ -2,17 +2,32 @@

x509_signing_policies:
{%- for ca_name,ca in minion.ca.items() %}
{{ ca_name }}:
- minions: '*'
{%- for signing_policy_name, signing_policy in ca.signing_policy.iteritems() %}
{{ ca_name }}_{{ signing_policy_name }}:
- minions: '{{ signing_policy.minions }}'
- signing_private_key: /etc/pki/ca/{{ ca_name }}/ca.key
- signing_cert: /etc/pki/ca/{{ ca_name }}/ca.crt
- C: {{ ca.country }}
- ST: {{ ca.state }}
- L: {{ ca.locality }}
- basicConstraints: "critical CA:false"
- keyUsage: "critical cRLSign, keyCertSign"
{%- if signing_policy.type == 'v3_edge_cert_client' %}
- basicConstraints: "CA:FALSE"
- keyUsage: "critical digitalSignature,nonRepudiation,keyEncipherment"
- extendedKeyUsage: "critical clientAuth"
{%- elif signing_policy.type == 'v3_edge_cert_server' %}
- basicConstraints: "CA:FALSE"
- keyUsage: "critical digitalSignature,nonRepudiation,keyEncipherment"
- extendedKeyUsage: "critical,serverAuth"
{%- elif signing_policy.type == 'v3_intermediate_ca' %}
- basicConstraints: "CA:TRUE"
- keyUsage: "critical cRLSign,keyCertSign"
{%- elif signing_policy.type == 'v3_edge_ca' %}
- basicConstraints: "CA:TRUE,pathlen:0"
- keyUsage: "critical cRLSign,keyCertSign"
{%- endif %}
- subjectKeyIdentifier: hash
- authorityKeyIdentifier: keyid,issuer:always
- days_valid: {{ ca.days_valid.certificate }}
- copypath: /etc/pki/ca/{{ ca_name }}/certs/
{%- endfor %}
{%- endfor %}

+ 2
- 2
salt/minion/ca.sls Vedi File

@@ -33,8 +33,8 @@ include:
- C: {{ ca.country }}
- ST: {{ ca.state }}
- L: {{ ca.locality }}
- basicConstraints: "critical CA:true"
- keyUsage: "critical cRLSign, keyCertSign"
- basicConstraints: "critical,CA:TRUE"
- keyUsage: "critical,cRLSign,keyCertSign"
- subjectKeyIdentifier: hash
- authorityKeyIdentifier: keyid,issuer:always
- days_valid: {{ ca.days_valid.authority }}

+ 6
- 3
salt/minion/cert.sls Vedi File

@@ -5,9 +5,11 @@ include:
- salt.minion.service

{%- for cert_name,cert in minion.cert.iteritems() %}
{%- set rowloop = loop %}

/etc/pki/cert/{{ cert.authority }}:
ca_dir_{{ cert.authority }}_{{ loop.index }}:
file.directory:
- name: /etc/pki/cert/{{ cert.authority }}
- makedirs: true

/etc/pki/cert/{{ cert.authority }}/{{ cert.common_name }}.key:
@@ -17,7 +19,7 @@ include:
/etc/pki/cert/{{ cert.authority }}/{{ cert.common_name }}.crt:
x509.certificate_managed:
- ca_server: {{ cert.host }}
- signing_policy: {{ cert.authority }}
- signing_policy: {{ cert.authority }}_{{ cert.signing_policy }}
- public_key: /etc/pki/cert/{{ cert.authority }}/{{ cert.common_name }}.key
- CN: {{ cert.common_name }}
- days_remaining: 30
@@ -27,8 +29,9 @@ include:

{%- if '/etc/pki/ca/'+cert.authority in ca_path %}

/etc/pki/cert/{{ cert.authority }}/ca.crt:
ca_cert_{{ cert.authority }}_{{ rowloop.index }}:
x509.pem_managed:
- name: /etc/pki/cert/{{ cert.authority }}/ca.crt
- text: {{ ca_cert|replace('\n', '') }}

{%- endif %}

+ 13
- 0
tests/pillar/minion_pki_ca.sls Vedi File

@@ -10,3 +10,16 @@ salt:
days_valid:
authority: 3650
certificate: 90
signing_policy:
cert_server:
type: v3_edge_cert_server
minions: '*'
cert_client:
type: v3_edge_cert_client
minions: '*'
ca_edge:
type: v3_edge_ca
minions: '*'
ca_intermediate:
type: v3_intermediate_ca
minions: '*'

+ 13
- 2
tests/pillar/minion_pki_cert.sls Vedi File

@@ -2,7 +2,18 @@ salt:
minion:
enabled: true
cert:
test_service:
test_server:
host: minion.with.ca
signing_policy: cert_server
authority: Company CA
common_name: test.service.domain.tld
common_name: test.server.domain.tld
test_client:
host: minion.with.ca
signing_policy: cert_client
authority: Company CA
common_name: test.client.domain.tld
test_edge_ca:
host: minion.with.ca
signing_policy: ca_edge
authority: Company CA
common_name: test.ca.domain.tld

Loading…
Annulla
Salva