salt-formula/salt/minion/ca.sls

{%- from "salt/map.jinja" import minion with context %}
{%- if minion.enabled %}

include:
- salt.minion.service

/etc/salt/minion.d/_pki.conf:
  file.managed:
  - source: salt://salt/files/_pki.conf
  - template: jinja
  - require:
    - {{ minion.install_state }}
  {%- if not grains.get('noservices', False) %}
  - watch_in:
    - service: salt_minion_service
  {%- endif %}

{%- for ca_name,ca in minion.ca.iteritems() %}

/etc/pki/ca/{{ ca_name }}/certs:
  file.directory:
  - makedirs: true

/etc/pki/ca/{{ ca_name }}/ca.key:
  x509.private_key_managed:
  - bits: 4096
  - backup: True
  - require:
    - file: /etc/pki/ca/{{ ca_name }}/certs

/etc/pki/ca/{{ ca_name }}/ca.crt:
  x509.certificate_managed:
  - signing_private_key: /etc/pki/ca/{{ ca_name }}/ca.key
  - CN: "{{ ca.common_name }}"
  {%- if ca.country is defined %}
  - C: {{ ca.country }}
  {%- endif %}
  {%- if ca.state is defined %}
  - ST: {{ ca.state }}
  {%- endif %}
  {%- if ca.locality is defined %}
  - L: {{ ca.locality }}
  {%- endif %}
  {%- if ca.organization is defined %}
  - O: {{ ca.organization }}
  {%- endif %}
  {%- if ca.organization_unit is defined %}
  - OU: {{ ca.organization_unit }}
  {%- endif %}
  - basicConstraints: "critical,CA:TRUE"
  - keyUsage: "critical,cRLSign,keyCertSign"
  - subjectKeyIdentifier: hash
  - authorityKeyIdentifier: keyid,issuer:always
  - days_valid: {{ ca.days_valid.authority }}
  - days_remaining: 0
  - backup: True
  - require:
    - x509: /etc/pki/ca/{{ ca_name }}/ca.key

salt_system_ca_mine_send_ca_{{ ca_name }}:
  module.run:
  - name: mine.send
  - func: x509.get_pem_entries
  - kwargs:
      glob_path: /etc/pki/ca/{{ ca_name }}/ca.crt
  - require:
    - x509: /etc/pki/ca/{{ ca_name }}/ca.crt

{%- endfor %}

{%- endif %}