salt.modules.tls¶

A salt module for SSL/TLS. Can create a Certificate Authority (CA) or use Self-Signed certificates.

depends:	PyOpenSSL Python module
configuration:	Add the following values in /etc/salt/minion for the CA module to function properly: ca.cert_base_path: '/etc/pki'

salt.modules.tls.create_ca(ca_name, bits=2048, days=365, CN='localhost', C='US', ST='Utah', L='Salt Lake City', O='Salt Stack', OU=None, emailAddress='xyz@pdq.net')¶

Create a Certificate Authority (CA)

ca_name: name of the CA
bits: number of RSA key bits, default is 2048
days: number of days the CA will be valid, default is 365
CN: common name in the request, default is "localhost"
C: country, default is "US"
ST: state, default is "Utah"
L: locality, default is "Centerville", the city where SaltStack originated
O: organization, default is "Salt Stack"
OU: organizational unit, default is None
emailAddress: email address for the CA owner, default is 'xyz@pdq.net'

Writes out a CA certificate based upon defined config values. If the file already exists, the function just returns assuming the CA certificate already exists.

If the following values were set:

ca.cert_base_path='/etc/pki/koji' ca_name='koji'

the resulting CA would be written in the following location:

/etc/pki/koji/koji_ca_cert.crt

CLI Example:

salt '*' tls.create_ca test_ca

salt.modules.tls.create_ca_signed_cert(ca_name, CN, days=365)¶

Create a Certificate (CERT) signed by a named Certificate Authority (CA)

ca_name: name of the CA
CN: common name matching the certificate signing request
days: number of days certificate is valid, default is 365 (1 year)

Writes out a Certificate (CERT) If the file already exists, the function just returns assuming the CERT already exists.

The CN must match an existing CSR generated by create_csr. If it does not, this method does nothing.

CLI Example:

salt '*' tls.create_ca_signed_cert test localhost

salt.modules.tls.create_csr(ca_name, bits=2048, CN='localhost', C='US', ST='Utah', L='Salt Lake City', O='Salt Stack', OU=None, emailAddress='xyz@pdq.net')¶

Create a Certificate Signing Request (CSR) for a particular Certificate Authority (CA)

ca_name: name of the CA
bits: number of RSA key bits, default is 2048
CN: common name in the request, default is "localhost"
C: country, default is "US"
ST: state, default is "Utah"
L: locality, default is "Centerville", the city where SaltStack originated
O: organization, default is "Salt Stack" NOTE: Must the same as CA certificate or an error will be raised
OU: organizational unit, default is None
emailAddress: email address for the request, default is 'xyz@pdq.net'

Writes out a Certificate Signing Request (CSR) If the file already exists, the function just returns assuming the CSR already exists.

If the following values were set:

ca.cert_base_path='/etc/pki/koji' ca_name='koji' CN='test.egavas.org'

the resulting CSR, and corresponding key, would be written in the following location:

/etc/pki/koji/certs/test.egavas.org.csr /etc/pki/koji/certs/test.egavas.org.key

CLI Example:

salt '*' tls.create_csr test

salt.modules.tls.create_pkcs12(ca_name, CN, passphrase='')¶

Create a PKCS#12 browser certificate for a particular Certificate (CN)

ca_name: name of the CA
CN: common name matching the certificate signing request
passphrase: used to unlock the PKCS#12 certificate when loaded into the browser

CLI Example:

salt '*' tls.create_pkcs12 test localhost

salt.modules.tls.create_self_signed_cert(tls_dir='tls', bits=2048, days=365, CN='localhost', C='US', ST='Utah', L='Salt Lake City', O='Salt Stack', OU=None, emailAddress='xyz@pdq.net')¶

Create a Self-Signed Certificate (CERT)

tls_dir: location appended to the ca.cert_base_path, default is 'tls'
bits: number of RSA key bits, default is 2048
CN: common name in the request, default is "localhost"
C: country, default is "US"
ST: state, default is "Utah"
L: locality, default is "Centerville", the city where SaltStack originated
O: organization, default is "Salt Stack" NOTE: Must the same as CA certificate or an error will be raised
OU: organizational unit, default is None
emailAddress: email address for the request, default is 'xyz@pdq.net'

Writes out a Self-Signed Certificate (CERT). If the file already exists, the function just returns.

If the following values were set:

ca.cert_base_path='/etc/pki/koji' tls_dir='koji' CN='test.egavas.org'

the resulting CERT, and corresponding key, would be written in the following location:

/etc/pki/tls/certs/test.egavas.org.crt /etc/pki/tls/certs/test.egavas.org.key

CLI Example:

salt '*' tls.create_self_signed_cert

Previous topic

salt.modules.timezone

Next topic

salt.modules.tomcat

salt.modules.tls¶

Previous topic

Next topic

Quick search