{%- from "salt/map.jinja" import minion with context %} {%- if minion.enabled %} {%- for cert_name,cert in minion.get('cert', {}).iteritems() %} {%- set rowloop = loop %} /etc/ssl/private/{{ cert.common_name }}.key: x509.private_key_managed: - bits: 4096 {{ cert.common_name }}_rights: file.managed: - name: /etc/ssl/private/{{ cert.common_name }}.key - mode: 600 - replace: False - require: - x509: /etc/ssl/private/{{ cert.common_name }}.key /etc/ssl/certs/{{ cert.common_name }}.crt: x509.certificate_managed: - ca_server: {{ cert.host }} - signing_policy: {{ cert.authority }}_{{ cert.signing_policy }} - public_key: /etc/ssl/private/{{ cert.common_name }}.key - CN: {{ cert.common_name }} {%- if cert.alternative_names is defined %} - subjectAltName: {{ cert.alternative_names }} {%- endif %} - days_remaining: 30 - backup: True {%- for ca_path,ca_cert in salt['mine.get'](cert.host, 'x509.get_pem_entries')[cert.host].iteritems() %} {%- if '/etc/pki/ca/'+cert.authority in ca_path %} ca_cert_{{ cert.authority }}_{{ rowloop.index }}: x509.pem_managed: - name: /etc/ssl/certs/ca-{{ cert.authority }}.crt - text: {{ ca_cert|replace('\n', '') }} {%- endif %} {%- endfor %} {%- endfor %} {%- endif %}