salt-formula/salt/minion/cert.sls

{%- from "salt/map.jinja" import minion with context %}
{%- if minion.enabled %}

{%- for cert_name,cert in minion.get('cert', {}).iteritems() %}
{%- set rowloop = loop %}

/etc/ssl/private/{{ cert.common_name }}.key:
  x509.private_key_managed:
  - bits: 4096

{{ cert.common_name }}_rights:
  file.managed:
  - name: /etc/ssl/private/{{ cert.common_name }}.key
  - mode: 600
  - replace: False
  - require:
    - x509: /etc/ssl/private/{{ cert.common_name }}.key

/etc/ssl/certs/{{ cert.common_name }}.crt:
  x509.certificate_managed:
  - ca_server: {{ cert.host }}
  - signing_policy: {{ cert.authority }}_{{ cert.signing_policy }}
  - public_key: /etc/ssl/private/{{ cert.common_name }}.key
  - CN: {{ cert.common_name }}
  {%- if cert.alternative_names is defined %}
  - subjectAltName: {{ cert.alternative_names }}
  {%- endif %}
  - days_remaining: 30
  - backup: True

{%- for ca_path,ca_cert in salt['mine.get'](cert.host, 'x509.get_pem_entries')[cert.host].iteritems() %}

{%- if '/etc/pki/ca/'+cert.authority in ca_path %}

ca_cert_{{ cert.authority }}_{{ rowloop.index }}:
  x509.pem_managed:
  - name: /etc/ssl/certs/ca-{{ cert.authority }}.crt
  - text: {{ ca_cert|replace('\n', '') }}

{%- endif %}

{%- endfor %}

{%- endfor %}

{%- endif %}