salt-formula/salt/files/_pki.conf

{%- from "salt/map.jinja" import minion with context %}

x509_signing_policies:
{%- for ca_name,ca in minion.ca.items() %}
{%- for signing_policy_name, signing_policy in ca.signing_policy.iteritems() %}
  {{ ca_name }}_{{ signing_policy_name }}:
    - minions: '{{ signing_policy.minions }}'
    - signing_private_key: /etc/pki/ca/{{ ca_name }}/ca.key
    - signing_cert: /etc/pki/ca/{{ ca_name }}/ca.crt
    {%- if ca.country is defined %}
    - C: {{ ca.country }}
    {%- endif %}
    {%- if ca.state is defined %}
    - ST: {{ ca.state }}
    {%- endif %}
    {%- if ca.locality is defined %}
    - L: {{ ca.locality }}
    {%- endif %}
    {%- if ca.organization is defined %}
    - O: {{ ca.organization }}
    {%- endif %}
    {%- if ca.organization_unit is defined %}
    - OU: {{ ca.organization_unit }}
    {%- endif %}
    {%- if signing_policy.type == 'v3_edge_cert_client' %}
    - basicConstraints: "CA:FALSE"
    - keyUsage: "critical digitalSignature,nonRepudiation,keyEncipherment"
    - extendedKeyUsage: "critical clientAuth"
    {%- elif signing_policy.type == 'v3_edge_cert_server' %}
    - basicConstraints: "CA:FALSE"
    - keyUsage: "critical digitalSignature,nonRepudiation,keyEncipherment"
    - extendedKeyUsage: "critical,serverAuth"
    {%- elif signing_policy.type == 'v3_intermediate_ca' %}
    - basicConstraints: "CA:TRUE"
    - keyUsage: "critical cRLSign,keyCertSign"
    {%- elif signing_policy.type == 'v3_edge_ca' %}
    - basicConstraints: "CA:TRUE,pathlen:0"
    - keyUsage: "critical cRLSign,keyCertSign"
    {%- elif signing_policy.type == 'v3_edge_cert_open' %}
    - basicConstraints: "CA:FALSE"
    {%- endif %}
    - subjectKeyIdentifier: hash
    - authorityKeyIdentifier: keyid,issuer:always
    - days_valid: {{ ca.days_valid.certificate }}
    - copypath: /etc/pki/ca/{{ ca_name }}/certs/
{%- endfor %}
{%- endfor %}