New version of salt-formula from Saltstack
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

34 satır
1.4KB

  1. {%- from "salt/map.jinja" import minion with context %}
  2. x509_signing_policies:
  3. {%- for ca_name,ca in minion.ca.items() %}
  4. {%- for signing_policy_name, signing_policy in ca.signing_policy.iteritems() %}
  5. {{ ca_name }}_{{ signing_policy_name }}:
  6. - minions: '{{ signing_policy.minions }}'
  7. - signing_private_key: /etc/pki/ca/{{ ca_name }}/ca.key
  8. - signing_cert: /etc/pki/ca/{{ ca_name }}/ca.crt
  9. - C: {{ ca.country }}
  10. - ST: {{ ca.state }}
  11. - L: {{ ca.locality }}
  12. {%- if signing_policy.type == 'v3_edge_cert_client' %}
  13. - basicConstraints: "CA:FALSE"
  14. - keyUsage: "critical digitalSignature,nonRepudiation,keyEncipherment"
  15. - extendedKeyUsage: "critical clientAuth"
  16. {%- elif signing_policy.type == 'v3_edge_cert_server' %}
  17. - basicConstraints: "CA:FALSE"
  18. - keyUsage: "critical digitalSignature,nonRepudiation,keyEncipherment"
  19. - extendedKeyUsage: "critical,serverAuth"
  20. {%- elif signing_policy.type == 'v3_intermediate_ca' %}
  21. - basicConstraints: "CA:TRUE"
  22. - keyUsage: "critical cRLSign,keyCertSign"
  23. {%- elif signing_policy.type == 'v3_edge_ca' %}
  24. - basicConstraints: "CA:TRUE,pathlen:0"
  25. - keyUsage: "critical cRLSign,keyCertSign"
  26. {%- endif %}
  27. - subjectKeyIdentifier: hash
  28. - authorityKeyIdentifier: keyid,issuer:always
  29. - days_valid: {{ ca.days_valid.certificate }}
  30. - copypath: /etc/pki/ca/{{ ca_name }}/certs/
  31. {%- endfor %}
  32. {%- endfor %}