x509_signing_policies: | x509_signing_policies: | ||||
{%- for ca_name,ca in minion.ca.items() %} | {%- for ca_name,ca in minion.ca.items() %} | ||||
{{ ca_name }}: | |||||
- minions: '*' | |||||
{%- for signing_policy_name, signing_policy in ca.signing_policy.iteritems() %} | |||||
{{ ca_name }}_{{ signing_policy_name }}: | |||||
- minions: '{{ signing_policy.minions }}' | |||||
- signing_private_key: /etc/pki/ca/{{ ca_name }}/ca.key | - signing_private_key: /etc/pki/ca/{{ ca_name }}/ca.key | ||||
- signing_cert: /etc/pki/ca/{{ ca_name }}/ca.crt | - signing_cert: /etc/pki/ca/{{ ca_name }}/ca.crt | ||||
- C: {{ ca.country }} | - C: {{ ca.country }} | ||||
- ST: {{ ca.state }} | - ST: {{ ca.state }} | ||||
- L: {{ ca.locality }} | - L: {{ ca.locality }} | ||||
- basicConstraints: "critical CA:false" | |||||
- keyUsage: "critical cRLSign, keyCertSign" | |||||
{%- if signing_policy.type == 'v3_edge_cert_client' %} | |||||
- basicConstraints: "CA:FALSE" | |||||
- keyUsage: "critical digitalSignature,nonRepudiation,keyEncipherment" | |||||
- extendedKeyUsage: "critical clientAuth" | |||||
{%- elif signing_policy.type == 'v3_edge_cert_server' %} | |||||
- basicConstraints: "CA:FALSE" | |||||
- keyUsage: "critical digitalSignature,nonRepudiation,keyEncipherment" | |||||
- extendedKeyUsage: "critical,serverAuth" | |||||
{%- elif signing_policy.type == 'v3_intermediate_ca' %} | |||||
- basicConstraints: "CA:TRUE" | |||||
- keyUsage: "critical cRLSign,keyCertSign" | |||||
{%- elif signing_policy.type == 'v3_edge_ca' %} | |||||
- basicConstraints: "CA:TRUE,pathlen:0" | |||||
- keyUsage: "critical cRLSign,keyCertSign" | |||||
{%- endif %} | |||||
- subjectKeyIdentifier: hash | - subjectKeyIdentifier: hash | ||||
- authorityKeyIdentifier: keyid,issuer:always | - authorityKeyIdentifier: keyid,issuer:always | ||||
- days_valid: {{ ca.days_valid.certificate }} | - days_valid: {{ ca.days_valid.certificate }} | ||||
- copypath: /etc/pki/ca/{{ ca_name }}/certs/ | - copypath: /etc/pki/ca/{{ ca_name }}/certs/ | ||||
{%- endfor %} | {%- endfor %} | ||||
{%- endfor %} |
- C: {{ ca.country }} | - C: {{ ca.country }} | ||||
- ST: {{ ca.state }} | - ST: {{ ca.state }} | ||||
- L: {{ ca.locality }} | - L: {{ ca.locality }} | ||||
- basicConstraints: "critical CA:true" | |||||
- keyUsage: "critical cRLSign, keyCertSign" | |||||
- basicConstraints: "critical,CA:TRUE" | |||||
- keyUsage: "critical,cRLSign,keyCertSign" | |||||
- subjectKeyIdentifier: hash | - subjectKeyIdentifier: hash | ||||
- authorityKeyIdentifier: keyid,issuer:always | - authorityKeyIdentifier: keyid,issuer:always | ||||
- days_valid: {{ ca.days_valid.authority }} | - days_valid: {{ ca.days_valid.authority }} |
- salt.minion.service | - salt.minion.service | ||||
{%- for cert_name,cert in minion.cert.iteritems() %} | {%- for cert_name,cert in minion.cert.iteritems() %} | ||||
{%- set rowloop = loop %} | |||||
/etc/pki/cert/{{ cert.authority }}: | |||||
ca_dir_{{ cert.authority }}_{{ loop.index }}: | |||||
file.directory: | file.directory: | ||||
- name: /etc/pki/cert/{{ cert.authority }} | |||||
- makedirs: true | - makedirs: true | ||||
/etc/pki/cert/{{ cert.authority }}/{{ cert.common_name }}.key: | /etc/pki/cert/{{ cert.authority }}/{{ cert.common_name }}.key: | ||||
/etc/pki/cert/{{ cert.authority }}/{{ cert.common_name }}.crt: | /etc/pki/cert/{{ cert.authority }}/{{ cert.common_name }}.crt: | ||||
x509.certificate_managed: | x509.certificate_managed: | ||||
- ca_server: {{ cert.host }} | - ca_server: {{ cert.host }} | ||||
- signing_policy: {{ cert.authority }} | |||||
- signing_policy: {{ cert.authority }}_{{ cert.signing_policy }} | |||||
- public_key: /etc/pki/cert/{{ cert.authority }}/{{ cert.common_name }}.key | - public_key: /etc/pki/cert/{{ cert.authority }}/{{ cert.common_name }}.key | ||||
- CN: {{ cert.common_name }} | - CN: {{ cert.common_name }} | ||||
- days_remaining: 30 | - days_remaining: 30 | ||||
{%- if '/etc/pki/ca/'+cert.authority in ca_path %} | {%- if '/etc/pki/ca/'+cert.authority in ca_path %} | ||||
/etc/pki/cert/{{ cert.authority }}/ca.crt: | |||||
ca_cert_{{ cert.authority }}_{{ rowloop.index }}: | |||||
x509.pem_managed: | x509.pem_managed: | ||||
- name: /etc/pki/cert/{{ cert.authority }}/ca.crt | |||||
- text: {{ ca_cert|replace('\n', '') }} | - text: {{ ca_cert|replace('\n', '') }} | ||||
{%- endif %} | {%- endif %} |
days_valid: | days_valid: | ||||
authority: 3650 | authority: 3650 | ||||
certificate: 90 | certificate: 90 | ||||
signing_policy: | |||||
cert_server: | |||||
type: v3_edge_cert_server | |||||
minions: '*' | |||||
cert_client: | |||||
type: v3_edge_cert_client | |||||
minions: '*' | |||||
ca_edge: | |||||
type: v3_edge_ca | |||||
minions: '*' | |||||
ca_intermediate: | |||||
type: v3_intermediate_ca | |||||
minions: '*' |
minion: | minion: | ||||
enabled: true | enabled: true | ||||
cert: | cert: | ||||
test_service: | |||||
test_server: | |||||
host: minion.with.ca | host: minion.with.ca | ||||
signing_policy: cert_server | |||||
authority: Company CA | authority: Company CA | ||||
common_name: test.service.domain.tld | |||||
common_name: test.server.domain.tld | |||||
test_client: | |||||
host: minion.with.ca | |||||
signing_policy: cert_client | |||||
authority: Company CA | |||||
common_name: test.client.domain.tld | |||||
test_edge_ca: | |||||
host: minion.with.ca | |||||
signing_policy: ca_edge | |||||
authority: Company CA | |||||
common_name: test.ca.domain.tld |