{%- from "salt/map.jinja" import minion with context %}

x509_signing_policies:
{%- for ca_name,ca in minion.ca.items() %}
  {{ ca_name }}:
    - minions: '*'
    - signing_private_key: /etc/pki/ca/{{ ca_name }}/ca.key
    - signing_cert: /etc/pki/ca/{{ ca_name }}/ca.crt
    - C: {{ ca.country }}
    - ST: {{ ca.state }}
    - L: {{ ca.locality }}
    - basicConstraints: "critical CA:false"
    - keyUsage: "critical cRLSign, keyCertSign"
    - subjectKeyIdentifier: hash
    - authorityKeyIdentifier: keyid,issuer:always
    - days_valid: {{ ca.days_valid.certificate }}
    - copypath: /etc/pki/ca/{{ ca_name }}/certs/
{%- endfor %}