|
- {%- from "salt/map.jinja" import minion with context %}
-
- x509_signing_policies:
- {%- for ca_name,ca in minion.ca.items() %}
- {%- for signing_policy_name, signing_policy in ca.signing_policy.iteritems() %}
- {{ ca_name }}_{{ signing_policy_name }}:
- - minions: '{{ signing_policy.minions }}'
- - signing_private_key: /etc/pki/ca/{{ ca_name }}/ca.key
- - signing_cert: /etc/pki/ca/{{ ca_name }}/ca.crt
- - C: {{ ca.country }}
- - ST: {{ ca.state }}
- - L: {{ ca.locality }}
- {%- if signing_policy.type == 'v3_edge_cert_client' %}
- - basicConstraints: "CA:FALSE"
- - keyUsage: "critical digitalSignature,nonRepudiation,keyEncipherment"
- - extendedKeyUsage: "critical clientAuth"
- {%- elif signing_policy.type == 'v3_edge_cert_server' %}
- - basicConstraints: "CA:FALSE"
- - keyUsage: "critical digitalSignature,nonRepudiation,keyEncipherment"
- - extendedKeyUsage: "critical,serverAuth"
- {%- elif signing_policy.type == 'v3_intermediate_ca' %}
- - basicConstraints: "CA:TRUE"
- - keyUsage: "critical cRLSign,keyCertSign"
- {%- elif signing_policy.type == 'v3_edge_ca' %}
- - basicConstraints: "CA:TRUE,pathlen:0"
- - keyUsage: "critical cRLSign,keyCertSign"
- {%- endif %}
- - subjectKeyIdentifier: hash
- - authorityKeyIdentifier: keyid,issuer:always
- - days_valid: {{ ca.days_valid.certificate }}
- - copypath: /etc/pki/ca/{{ ca_name }}/certs/
- {%- endfor %}
- {%- endfor %}
|