salt.modules.tls

A salt module for SSL/TLS. Can create a Certificate Authority (CA) or use Self-Signed certificates.

depends:

• PyOpenSSL Python module

configuration:

Add the following values in /etc/salt/minion for the CA module to function properly:

ca.cert_base_path: '/etc/pki'

salt.modules.tls.create_ca(ca_name, bits=2048, days=365, CN='localhost', C='US', ST='Utah', L='Salt Lake City', O='Salt Stack', OU=None, emailAddress='xyz@pdq.net')

Create a Certificate Authority (CA)

ca_name

name of the CA

bits

number of RSA key bits, default is 2048

days

number of days the CA will be valid, default is 365

CN

common name in the request, default is "localhost"

C

country, default is "US"

ST

state, default is "Utah"

L

locality, default is "Centerville", the city where SaltStack originated

O

organization, default is "Salt Stack"

OU

organizational unit, default is None

emailAddress

email address for the CA owner, default is 'xyz@pdq.net'

Writes out a CA certificate based upon defined config values. If the file already exists, the function just returns assuming the CA certificate already exists.

If the following values were set:

ca.cert_base_path='/etc/pki/koji'
ca_name='koji'

the resulting CA would be written in the following location:

/etc/pki/koji/koji_ca_cert.crt

CLI Example:

salt '*' tls.create_ca test_ca

salt.modules.tls.create_ca_signed_cert(ca_name, CN, days=365)

Create a Certificate (CERT) signed by a named Certificate Authority (CA)

ca_name

name of the CA

CN

common name matching the certificate signing request

days

number of days certificate is valid, default is 365 (1 year)

Writes out a Certificate (CERT) If the file already exists, the function just returns assuming the CERT already exists.

The CN must match an existing CSR generated by create_csr. If it does not, this method does nothing.

CLI Example:

salt '*' tls.create_ca_signed_cert test localhost

salt.modules.tls.create_csr(ca_name, bits=2048, CN='localhost', C='US', ST='Utah', L='Salt Lake City', O='Salt Stack', OU=None, emailAddress='xyz@pdq.net')

Create a Certificate Signing Request (CSR) for a particular Certificate Authority (CA)

ca_name

name of the CA

bits

number of RSA key bits, default is 2048

CN

common name in the request, default is "localhost"

C

country, default is "US"

ST

state, default is "Utah"

L

locality, default is "Centerville", the city where SaltStack originated

O

organization, default is "Salt Stack" NOTE: Must the same as CA certificate or an error will be raised

OU

organizational unit, default is None

emailAddress

email address for the request, default is 'xyz@pdq.net'

Writes out a Certificate Signing Request (CSR) If the file already exists, the function just returns assuming the CSR already exists.

If the following values were set:

ca.cert_base_path='/etc/pki/koji'
ca_name='koji'
CN='test.egavas.org'

the resulting CSR, and corresponding key, would be written in the following location:

/etc/pki/koji/certs/test.egavas.org.csr
/etc/pki/koji/certs/test.egavas.org.key

CLI Example:

salt '*' tls.create_csr test

salt.modules.tls.create_pkcs12(ca_name, CN, passphrase='')

Create a PKCS#12 browser certificate for a particular Certificate (CN)

ca_name

name of the CA

CN

common name matching the certificate signing request

passphrase

used to unlock the PKCS#12 certificate when loaded into the browser

CLI Example:

salt '*' tls.create_pkcs12 test localhost

salt.modules.tls.create_self_signed_cert(tls_dir='tls', bits=2048, days=365, CN='localhost', C='US', ST='Utah', L='Salt Lake City', O='Salt Stack', OU=None, emailAddress='xyz@pdq.net')

Create a Self-Signed Certificate (CERT)

tls_dir

location appended to the ca.cert_base_path, default is 'tls'

bits

number of RSA key bits, default is 2048

CN

common name in the request, default is "localhost"

C

country, default is "US"

ST

state, default is "Utah"

L

locality, default is "Centerville", the city where SaltStack originated

O

organization, default is "Salt Stack" NOTE: Must the same as CA certificate or an error will be raised

OU

organizational unit, default is None

emailAddress

email address for the request, default is 'xyz@pdq.net'

Writes out a Self-Signed Certificate (CERT). If the file already exists, the function just returns.

If the following values were set:

ca.cert_base_path='/etc/pki/koji'
tls_dir='koji'
CN='test.egavas.org'

the resulting CERT, and corresponding key, would be written in the following location:

/etc/pki/tls/certs/test.egavas.org.crt
/etc/pki/tls/certs/test.egavas.org.key

CLI Example:

salt '*' tls.create_self_signed_cert