openssl: Installs openssl and ensures bundled certificate list is world readableopenssl::certificates: Generates x509 certificates based on class parametersopenssl::configs: Generates openssl.conf files using manually set defaults or defaults from openssl::configopenssl::packages: Sets up packages for openssl
openssl::certificate::x509: Creates a certificate, key and CSR according to datas provided.openssl::config: Generates an openssl.conf file using defaultsopenssl::dhparam: Creates Diffie Helman parameters.openssl::export::pem_cert: Export certificate(s) to PEM/x509 formatopenssl::export::pem_key: Export a key to PEM formatopenssl::export::pkcs12: Export a key pair to PKCS12 format
cert_file: Manages X.509 certificate files downloaded from a source location, saved in the specified format.dhparam: A Diffie Helman parameter filessl_pkey: An SSL private keyx509_cert: An x509 certificatex509_request: An x509 certificate signing request
openssl::cert_aia_caissuers: Extrating the caIssuers entry from Authority Information Access extension of X509 certificateopenssl::cert_date_valid: Checks SSL cetificate date validity.
Installs openssl and ensures bundled certificate list is world readable
class { 'openssl':
package_name => 'openssl-othername',
package_ensure => latest,
ca_certificates_ensure => latest,
}The following parameters are available in the openssl class:
Data type: Optional[String[1]]
openssl package name
Default value: undef
Data type: String[1]
openssl package ensure
Default value: installed
Data type: String[1]
ca-certificates package ensure
Default value: installed
Generates x509 certificates based on class parameters
class { 'openssl::certificate':
x509_certs => { '/path/to/certificate.crt' => { ensure => 'present',
password => 'j(D$',
template => '/other/path/to/template.cnf',
private_key => '/there/is/my/private.key',
days => 4536,
force => false,},
'/a/other/certificate.crt' => { ensure => 'present', },
}
}The following parameters are available in the openssl::certificates class:
Data type: Hash
Default value: {}
Generates openssl.conf files using manually set defaults or defaults from openssl::config
class { 'openssl::configs':
country => 'mycountry',
conffiles => { '/path/to/openssl.conf' => { ensure => 'present',
commonname => 'somewhere.org',
organization => 'myorg' },
'/a/other/openssl.conf' => { ensure => 'present',
commonname => 'somewhere.else.org',
organization => 'myotherorg' },
}
}The following parameters are available in the openssl::configs class:
ownergroupmodecountrystatelocalityorganizationunitemaildefault_bitsdefault_mddefault_keyfilebasicconstraintsextendedkeyusageskeyusagessubjectaltnamesconffiles
Data type: Optional[String[1]]
default owner for the configuration files
Default value: undef
Data type: Optional[String[1]]
default group for the configuration files
Default value: undef
Data type: Optional[String[1]]
default mode for the configuration files
Default value: undef
Data type: Optional[String[1]]
default value for country
Default value: undef
Data type: Optional[String[1]]
default value for state
Default value: undef
Data type: Optional[String[1]]
default value for locality
Default value: undef
Data type: Optional[String[1]]
default value for organization
Default value: undef
Data type: Optional[String[1]]
default value for unit
Default value: undef
Data type: Optional[String[1]]
default value for email
Default value: undef
Data type: Optional[Integer]
default key size to generate
Default value: undef
Data type: Optional[String[1]]
default message digest to use
Default value: undef
Data type: Optional[String[1]]
default name for the keyfile
Default value: undef
Data type: Optional[Array]
default version 3 certificate extension basic constraints
Default value: undef
Data type: Optional[Array]
default version 3 certificate extension extended key usage
Default value: undef
Data type: Optional[Array]
default version 3 certificate extension key usage
Default value: undef
Data type: Optional[Array]
default version 3 certificate extension for alternative names currently supported are IP (v4) and DNS
Default value: undef
Data type: Hash
config files to generate
Default value: {}
Sets up packages for openssl
Creates a certificate, key and CSR according to datas provided.
openssl::certificate::x509 { 'foo.bar':
ensure => present,
country => 'CH',
organization => 'Example.com',
commonname => $fqdn,
base_dir => '/var/www/ssl',
owner => 'www-data',
}
This will create files "foo.bar.cnf", "foo.bar.crt", "foo.bar.key"
and "foo.bar.csr" in /var/www/ssl/.
All files will belong to user "www-data".
Those files can be used as is for apache, openldap and so on.
If you wish to ensure a key is read-only to a process:
set $key_group to match the group of the process,
and set $key_mode to '0640'.The following parameters are available in the openssl::certificate::x509 defined type:
ensurecountrystatelocalitycommonnamealtnamesextkeyusageorganizationunitemaildaysbase_dirkey_sizeownergroupkey_ownerkey_groupkey_modepasswordforcecnf_dircrt_dircsr_dirkey_dircnfcrtcsrkeyencryptedcacakeycakey_password
Data type: Enum['present', 'absent']
ensure wether certif and its config are present or not
Default value: present
Data type: Optional[String]
certificate countryName
Default value: undef
Data type: Optional[String]
certificate stateOrProvinceName
Default value: undef
Data type: Optional[String]
certificate localityName
Default value: undef
Data type: Optional[String]
certificate CommonName
Default value: undef
Data type: Array
certificate subjectAltName. Can be an array or a single string.
Default value: []
Data type: Array
certificate extended key usage
| Value | Meaning |
|---|---|
| serverAuth | SSL/TLS Web Server Authentication. |
| clientAuth | SL/TLS Web Client Authentication. |
| codeSigning | Code signing. |
| emailProtection | E-mail Protection (S/MIME). |
| timeStamping | Trusted Timestamping |
| OCSPSigning | OCSP Signing |
| ipsecIKE | ipsec Internet Key Exchange |
| msCodeInd | Microsoft Individual Code Signing (authenticode) |
| msCodeCom | Microsoft Commercial Code Signing (authenticode) |
| msCTLSign | Microsoft Trust List Signing |
| msEFS | Microsoft Encrypted File System |
Default value: []
Data type: Optional[String]
certificate organizationName
Default value: undef
Data type: Optional[String]
certificate organizationalUnitName
Default value: undef
Data type: Optional[String]
certificate emailAddress
Default value: undef
Data type: Integer
certificate validity
Default value: 365
Data type: Stdlib::Absolutepath
where cnf, crt, csr and key should be placed. Directory must exist
Default value: '/etc/ssl/certs'
Data type: Integer
Size of the key to generate.
Default value: 3072
Data type: Variant[String, Integer]
cnf, crt, csr and key owner. User must exist
Default value: 'root'
Data type: Variant[String, Integer]
cnf, crt, csr and key group. Group must exist
Default value: 'root'
Data type: Variant[String, Integer]
key owner. User must exist. defaults to $owner
Default value: $owner
Data type: Variant[String, Integer]
key group. Group must exist. defaults to $group
Default value: $group
Data type: Stdlib::Filemode
key group.
Default value: '0600'
Data type: Optional[String]
private key password. undef means no passphrase will be used to encrypt private key.
Default value: undef
Data type: Boolean
whether to override certificate and request if private key changes
Default value: true
Data type: Stdlib::Absolutepath
where cnf should be placed. Directory must exist, defaults to $base_dir.
Default value: $base_dir
Data type: Stdlib::Absolutepath
where crt should be placed. Directory must exist, defaults to $base_dir.
Default value: $base_dir
Data type: Stdlib::Absolutepath
where csr should be placed. Directory must exist, defaults to $base_dir.
Default value: $base_dir
Data type: Stdlib::Absolutepath
where key should be placed. Directory must exist, defaults to $base_dir.
Default value: $base_dir
Data type: Stdlib::Absolutepath
override cnf path entirely. Directory must exist, defaults to $cnf_dir/$title.cnf
Default value: "${cnf_dir}/${name}.cnf"
Data type: Stdlib::Absolutepath
override crt path entirely. Directory must exist, defaults to $crt_dir/$title.crt
Default value: "${crt_dir}/${name}.crt"
Data type: Stdlib::Absolutepath
override csr path entirely. Directory must exist, defaults to $csr_dir/$title.csr
Default value: "${csr_dir}/${name}.csr"
Data type: Stdlib::Absolutepath
override key path entirely. Directory must exist, defaults to $key_dir/$title.key
Default value: "${key_dir}/${name}.key"
Data type: Boolean
Flag requesting the exported key to be unencrypted by specifying the -nodes option during the CSR generation. Turning off encryption is needed by some applications, such as OpenLDAP. Defaults to true (key is encrypted)
Default value: true
Data type: Optional[Stdlib::Absolutepath]
Path to CA certificate for signing. Undef means no CA will be provided for signing the certificate.
Default value: undef
Data type: Optional[Stdlib::Absolutepath]
Path to CA private key for signing. Undef mean no CAkey will be provided.
Default value: undef
Data type: Optional[Variant[Sensitive[String[1]], String[1]]]
Optional password that has encrypted the CA key.
Default value: undef
Generates an openssl.conf file using defaults
openssl::config {'/path/to/openssl.conf':
ensure => 'present',
commonname => 'somewhere.org',
country => 'mycountry',
organization => 'myorg',
}The following parameters are available in the openssl::config defined type:
ensurecommonnamecountryorganizationownergroupmodestatelocalityunitemaildefault_bitsdefault_mddefault_keyfilebasicconstraintsextendedkeyusageskeyusagessubjectaltnames
Data type: Enum['absent','present']
ensure parameter for configfile; defaults to present
Default value: 'present'
Data type: Optional[Variant[String[1], Array[String[1]]]]
commonname for config file
Default value: undef
Data type: Optional[String[1]]
value for country
Default value: undef
Data type: Optional[String[1]]
value for organization
Default value: undef
Data type: Variant[String[1],Integer]
owner for the configuration file
Default value: 'root'
Data type: Variant[String[1],Integer]
group for the configuration file
Default value: 'root'
Data type: Stdlib::Filemode
mode for the configuration file
Default value: '0640'
Data type: Optional[String[1]]
value for state
Default value: undef
Data type: Optional[String[1]]
value for locality
Default value: undef
Data type: Optional[String[1]]
value for unit
Default value: undef
Data type: Optional[String[1]]
value for email
Default value: undef
Data type: Integer
key size to generate
Default value: 4096
Data type: String[1]
message digest to use
Default value: 'sha512'
Data type: String[1]
name for the keyfile
Default value: 'privkey.pem'
Data type: Array
version 3 certificate extension basic constraints
Default value: []
Data type: Array
version 3 certificate extension extended key usage
Default value: []
Data type: Array
version 3 certificate extension key usage
Default value: []
Data type: Array
version 3 certificate extension for alternative names currently supported are IP (v4) and DNS
Default value: []
Creates Diffie Helman parameters.
The following parameters are available in the openssl::dhparam defined type:
Data type: Stdlib::Absolutepath
path to write DH parameters to
Default value: $name
Data type: Enum['present', 'absent']
ensure whether DH paramers file is present or absent
Default value: present
Data type: Integer[1]
number of bits for the parameter set
Default value: 2048
Data type: Variant[String, Integer]
file owner. User must exist
Default value: 'root'
Data type: Variant[String, Integer]
file group. Group must exist
Default value: 'root'
Data type: String
file mode.
Default value: '0644'
Data type: Boolean
Use "fastmode" for dhparam generation
Default value: false
Export certificate(s) to PEM/x509 format
The following parameters are available in the openssl::export::pem_cert defined type:
Data type: Boolean
dynamically renew certificate file
Default value: false
Data type: Enum['present', 'absent']
Whether the certificate file should exist
Default value: present
Data type: Variant[Type, Array[Type]]
List of resources to subscribe to for certificate file renewal
Default value: []
Data type: Optional[Stdlib::Absolutepath]
PFX certificate/key container
Default value: undef
Data type: Optional[Stdlib::Absolutepath]
DER certificate
Default value: undef
Data type: Stdlib::Absolutepath
PEM/x509 certificate
Default value: $title
Data type: Optional[String]
PFX password
Default value: undef
Export a key to PEM format
The following parameters are available in the openssl::export::pem_key defined type:
Data type: Stdlib::Absolutepath
PFX certificate/key container
Data type: Stdlib::Absolutepath
PEM certificate
Default value: $title
Data type: Boolean
dynamically renew key file
Default value: false
Data type: Enum['present', 'absent']
Whether the keyfile should exist
Default value: present
Data type: Variant[Type, Array[Type]]
List of resources to subscribe to for key renewal
Default value: []
Data type: Optional[String]
PFX container password
Default value: undef
Data type: Optional[String]
PEM key password
Default value: undef
Export a key pair to PKCS12 format
The following parameters are available in the openssl::export::pkcs12 defined type:
Data type: Stdlib::Absolutepath
Directory where you want the export to be done. Must exists
Data type: Stdlib::Absolutepath
Private key
Data type: Stdlib::Absolutepath
Certificate
Data type: Boolean
dynamically renew PKCS12 file
Default value: false
Data type: Enum['present', 'absent']
Whether the PKCS12 file should exist
Default value: present
Data type: Variant[Type, Array[Type]]
List of resources to subscribe to for PKCS12 renewal
Default value: []
Data type: Optional[String]
Private key password
Default value: undef
Data type: Optional[String]
PKCS12 password
Default value: undef
Data type: Optional[String]
Chain certificate to include in pkcs12
Default value: undef
Manages X.509 certificate files downloaded from a source location, saved in the specified format.
The following properties are available in the cert_file type.
Valid values: present, absent
The basic property that the resource should be in.
Default value: present
The following parameters are available in the cert_file type.
Valid values: der, pem
Format in which the loaded certificate should be written to file.
Default value: pem
Path to the file to manage
The specific backend to use for this cert_file resource. You will seldom need to specify this --- Puppet will usually
discover the appropriate provider for your platform.
The source file
A Diffie Helman parameter file
The following properties are available in the dhparam type.
Valid values: present, absent
The basic property that the resource should be in.
Default value: present
The following parameters are available in the dhparam type.
Enable fast mode
Default value: false
The path of the file
The specific backend to use for this dhparam resource. You will seldom need to specify this --- Puppet will usually
discover the appropriate provider for your platform.
Valid values: %r{\d+}
The key size
Default value: 512
An SSL private key
The following properties are available in the ssl_pkey type.
Valid values: present, absent
The basic property that the resource should be in.
Default value: present
The following parameters are available in the ssl_pkey type.
Valid values: rsa, ec
The authentication algorithm
Default value: rsa
The EC curve
Default value: secp384r1
The optional password for the key
The path to the key
The specific backend to use for this ssl_pkey resource. You will seldom need to specify this --- Puppet will usually
discover the appropriate provider for your platform.
Valid values: %r{\d+}
The key size for RSA keys
Default value: 2048
An x509 certificate
The following properties are available in the x509_cert type.
Valid values: present, absent
The basic property that the resource should be in.
Default value: present
The following parameters are available in the x509_cert type.
The optional ca certificate filepath
The optional ca private key filepath
The optional CA key password
The optional certificate signing request path
Valid values: %r{\d+}
The validity of the certificate
Default value: 3650
Valid values: true, false
Whether to replace the certificate if the private key mismatches
Default value: false
The optional password for the private key
The path to the certificate
The path to the private key
The specific backend to use for this x509_cert resource. You will seldom need to specify this --- Puppet will usually
discover the appropriate provider for your platform.
Valid values: true, false, yes, no
Whether adding v3 SAN from config
Default value: false
The template to use
An x509 certificate signing request
The following properties are available in the x509_request type.
Valid values: present, absent
The basic property that the resource should be in.
Default value: present
The following parameters are available in the x509_request type.
Valid values: true, false
Whether to generate the key unencrypted. This is needed by some applications like OpenLDAP
Default value: true
Valid values: true, false
Whether to replace the certificate if the private key mismatches
Default value: false
The optional password for the private key
The path of the certificate signing request
The path of the private key
The specific backend to use for this x509_request resource. You will seldom need to specify this --- Puppet will
usually discover the appropriate provider for your platform.
The template to use
Type: Ruby 4.x API
Extract a X509 certificate for x509v3 extensions, search for Authority Information Access extension and return the contents caIssuers access method. For details see rfc5280#section-4.2.2.
Parameter: path to ssl certificate
Extract a X509 certificate for x509v3 extensions, search for Authority Information Access extension and return the contents caIssuers access method. For details see rfc5280#section-4.2.2.
Parameter: path to ssl certificate
Returns: Any contents of the caIssuers access method of authorityInfoAccess extension, or nil if not found
Data type: String
Path to the certificate to inspect
Type: Ruby 4.x API
Parameter: path to ssl certificate
Parameter: path to ssl certificate
Returns: Any false if the certificate is expired or not yet valid,
Data type: String
The certificate file to check.