Salt PKI proper x509v3 cert extensions

salt/files/_pki.conf

@@ -2,17 +2,32 @@
 
 x509_signing_policies:
 {%- for ca_name,ca in minion.ca.items() %}
-  {{ ca_name }}:
-    - minions: '*'
+{%- for signing_policy_name, signing_policy in ca.signing_policy.iteritems() %}
+  {{ ca_name }}_{{ signing_policy_name }}:
+    - minions: '{{ signing_policy.minions }}'
     - signing_private_key: /etc/pki/ca/{{ ca_name }}/ca.key
     - signing_cert: /etc/pki/ca/{{ ca_name }}/ca.crt
     - C: {{ ca.country }}
     - ST: {{ ca.state }}
     - L: {{ ca.locality }}
-    - basicConstraints: "critical CA:false"
-    - keyUsage: "critical cRLSign, keyCertSign"
+    {%- if signing_policy.type == 'v3_edge_cert_client' %}
+    - basicConstraints: "CA:FALSE"
+    - keyUsage: "critical digitalSignature,nonRepudiation,keyEncipherment"
+    - extendedKeyUsage: "critical clientAuth"
+    {%- elif signing_policy.type == 'v3_edge_cert_server' %}
+    - basicConstraints: "CA:FALSE"
+    - keyUsage: "critical digitalSignature,nonRepudiation,keyEncipherment"
+    - extendedKeyUsage: "critical,serverAuth"
+    {%- elif signing_policy.type == 'v3_intermediate_ca' %}
+    - basicConstraints: "CA:TRUE"
+    - keyUsage: "critical cRLSign,keyCertSign"
+    {%- elif signing_policy.type == 'v3_edge_ca' %}
+    - basicConstraints: "CA:TRUE,pathlen:0"
+    - keyUsage: "critical cRLSign,keyCertSign"
+    {%- endif %}
     - subjectKeyIdentifier: hash
     - authorityKeyIdentifier: keyid,issuer:always
     - days_valid: {{ ca.days_valid.certificate }}
     - copypath: /etc/pki/ca/{{ ca_name }}/certs/
 {%- endfor %}
+{%- endfor %}

salt/minion/ca.sls

@@ -33,8 +33,8 @@ include:
   - C: {{ ca.country }}
   - ST: {{ ca.state }}
   - L: {{ ca.locality }}
-  - basicConstraints: "critical CA:true"
-  - keyUsage: "critical cRLSign, keyCertSign"
+  - basicConstraints: "critical,CA:TRUE"
+  - keyUsage: "critical,cRLSign,keyCertSign"
   - subjectKeyIdentifier: hash
   - authorityKeyIdentifier: keyid,issuer:always
   - days_valid: {{ ca.days_valid.authority }}

salt/minion/cert.sls

@@ -5,9 +5,11 @@ include:
 - salt.minion.service
 
 {%- for cert_name,cert in minion.cert.iteritems() %}
+{%- set rowloop = loop %}
 
-/etc/pki/cert/{{ cert.authority }}:
+ca_dir_{{ cert.authority }}_{{ loop.index }}:
   file.directory:
+  - name: /etc/pki/cert/{{ cert.authority }}
   - makedirs: true
 
 /etc/pki/cert/{{ cert.authority }}/{{ cert.common_name }}.key:
@@ -17,7 +19,7 @@ include:
 /etc/pki/cert/{{ cert.authority }}/{{ cert.common_name }}.crt:
   x509.certificate_managed:
   - ca_server: {{ cert.host }}
-  - signing_policy: {{ cert.authority }}
+  - signing_policy: {{ cert.authority }}_{{ cert.signing_policy }}
   - public_key: /etc/pki/cert/{{ cert.authority }}/{{ cert.common_name }}.key
   - CN: {{ cert.common_name }}
   - days_remaining: 30
@@ -27,8 +29,9 @@ include:
 
 {%- if '/etc/pki/ca/'+cert.authority in ca_path %}
 
-/etc/pki/cert/{{ cert.authority }}/ca.crt:
+ca_cert_{{ cert.authority }}_{{ rowloop.index }}:
   x509.pem_managed:
+  - name: /etc/pki/cert/{{ cert.authority }}/ca.crt
   - text: {{ ca_cert|replace('\n', '') }}
 
 {%- endif %}

tests/pillar/minion_pki_ca.sls

@@ -10,3 +10,16 @@ salt:
         days_valid:
           authority: 3650
           certificate: 90
+        signing_policy:
+          cert_server:
+            type: v3_edge_cert_server
+            minions: '*'
+          cert_client:
+            type: v3_edge_cert_client
+            minions: '*'
+          ca_edge:
+            type: v3_edge_ca
+            minions: '*'
+          ca_intermediate:
+            type: v3_intermediate_ca
+            minions: '*'

tests/pillar/minion_pki_cert.sls

@@ -2,7 +2,18 @@ salt:
   minion:
     enabled: true
     cert:
-      test_service:
+      test_server:
         host: minion.with.ca
+        signing_policy: cert_server
         authority: Company CA
-        common_name: test.service.domain.tld
+        common_name: test.server.domain.tld
+      test_client:
+        host: minion.with.ca
+        signing_policy: cert_client
+        authority: Company CA
+        common_name: test.client.domain.tld
+      test_edge_ca:
+        host: minion.with.ca
+        signing_policy: ca_edge
+        authority: Company CA
+        common_name: test.ca.domain.tld