Resource Type: openssl_cert

Defined in:: lib/puppet/type/openssl_cert.rb

Summary

Create an OpenSSL certificate from a Certificate Signing Request

Overview

**This type is still beta!**

The type takes a Certificate Signing Request (create by ‘openssl_request` for example) and an issuer certificate and key as input to generate a signed certificate.

To create a self-signed certificate, set ‘issuer_key` to the same key that was used to create the request. Otherwise `issuer_cert` and `issuer_key` should point to your CA certificate and key.

The type uses a random 128 bit number as serial number.

The certificate validity starts the moment the certificate is signed and terminates as defined by the parameter ‘days`. The expiration time of the cerificate is additionally limited by the validity of your CA certificate unless you create a self-signed certificate.

The parameters ‘copy_request_extensions` and `omit_request_extensions` can be used to specifically allow or deny some extensions from the request. You can also use type parameters to set some extensions to a fixed value.

The type expects to find the “—–BEGIN CERTIFICATE—–” token in the file or it will overwrite the file content with a new certificate.

The type is refreshable and will generate a new certificate if the resource is notified from another resource.

This type uses the Ruby OpenSSL library and does not need the ‘openssl` binary provided by the operating system.

Autorequires: If Puppet is managing the OpenSSL issuer key, issuer certificate or request that is used to create the certificate, the ‘openssl_cert` resource will autorequire these resources

Examples:

Create CA certificate from a CSR using the specified extensions


openssl_cert { '/etc/ssl/ca.crt':
  request                       => '/etc/ssl/ca.csr',
  issuer_key                    => '/etc/ssl/ca.key',
  key_usage                     => ['keyCertSign', 'cRLSign'],
  key_usage_critical            => true,
  basic_constraints_ca          => true,
  basic_constraints_ca_critical => true,
  subject_key_identifier        => 'hash',
  authority_key_identifier      => ['issuer', 'keyid:always'],
  days                          => 2922,
}

Create certificate for a node and copy two extensions from the CSR


openssl_cert { "/etc/ssl/${facts[networking][fqdn]}.crt":
  request                  => "/etc/ssl/${facts[networking][fqdn]}.csr",
  issuer_key               => '/etc/ssl/ca.key',
  issuer_cert              => '/etc/ssl/ca.crt',
  subject_key_identifier   => 'hash',
  authority_key_identifier => ['keyid', 'issuer'],
  copy_request_extensions  => ['subjectAltName', 'keyUsage'],
}

Properties

ensure (defaults to: present)

The basic property that the resource should be in.
Supported values:
- present
- absent

Parameters

authority_key_identifier

The Authority Key Identifier extension.
backup

Specifies whether (and how) to back up the destination file before overwriting it. Your value gets passed on to Puppet’s native file resource for execution. Valid options: true, false, or a string representing either a target filebucket or a filename extension beginning with “.”.
basic_constraints_ca

Whether the Basic Constraints CA extension should be set.

Setting this parameter overrides the value of the ‘basicConstraints` extension from the request.
Supported values:
- true
- false
basic_constraints_ca_critical

Whether the Basic Constraints CA extension should be critical.
Supported values:
- true
- false
copy_request_extensions (defaults to: [])

List of extensions to copy from the certificate request. If this parameter is set, then only these extensions are copied from the request into the final certificate. Otherwise all extensions are copied from the request unless the parameter ‘omit_request_extensions` disallows them.

Some extension names that might be useful to include here are ‘basicConstraints`, `keyUsage`, `extendedKeyUsage`, `subjectAltName`.

If an extension name is included in ‘copy_request_extension` and `omit_request_extensions`, then `omit_request_extensions` has precedence and the extension is not copied from the request to the final certificate.

Extensions defined by explicit type parameters always override extensions from the request.
days (defaults to: 365)

The number of days that the certificate should be valid.

A certificate can’t be valid after the issuing certificate has expired. So the validity is limited by the expiration time of the issuing certificate.
Supported values:
- %r{^[0-9]+$}
extended_key_usage

The X.509v3 Extended Key Usage extension. Valid options: ‘serverAuth`, `clientAuth`, `codeSigning`, `emailProtection`, `timeStamping`, `OCSPSigning`, `ipsecIKE`, `msCodeInd`, `msCodeCom`, `msCTLSign`, `msEFS`.

Setting this parameter overrides the value of the ‘extendedKeyUsage` extension from the request.
extended_key_usage_critical

Whether the Extenden Key Usage extension should be critical.
Supported values:
- true
- false
group

Specifies a permissions group for the destination file. Valid options: a string containing a group name or integer containing a gid.
issuer_cert

The path to the certificate file that is used to issue the certificate.
issuer_key

The path to the key file that is used to issue the certificate. If this is the same key that was used to create the request, then a self-signed certificate will be created.
issuer_key_password (defaults to: '')

The password to use when loading a protected issuer key.
key_usage

The X.509v3 Key Usage extension. Valid options: ‘digitalSignature`, `nonRepudiation`, `keyEncipherment`, `dataEncipherment`, `keyAgreement`, `keyCertSign`, `cRLSign`, `encipherOnly`, `decipherOnly`.

Setting this parameter overrides the value of the ‘keyUsage` extension from the request.
key_usage_critical

Whether the Key Usage extension should be critical.
Supported values:
- true
- false
mode

Specifies the permissions mode of the destination file. Valid options: a string containing a permission mode value in octal notation.
omit_request_extensions (defaults to: [])

List of extensions to omit from the certificate request. If this parameter is set, then the named extensions are never copied from the request into the final certificate. Otherwise all extensions are copied from the request unless the parameter ‘copy_request_extensions` restricts them.

Some extension names that might be useful to include here are ‘basicConstraints`, `keyUsage`, `extendedKeyUsage`, `subjectAltName`.

If an extension name is include in ‘copy_request_extension` and `omit_request_extensions`, then `omit_request_extensions` has precedence and the extension is not copied from the request to the final certificate.

Extensions defined by explicit type parameters always override extensions from the request.
owner

Specifies the owner of the destination file. Valid options: a string containing a username or integer containing a uid.
path

Specifies the destination file. Valid options: a string containing an absolute path. Default value: the title of your declared resource.
request

The path to the certificate request to use when creating the certificate.
selinux_ignore_defaults

See the file type’s selinux_ignore_defaults documentention: docs.puppetlabs.com/references/latest/type.html#file-attribute-selinux_ignore_defaults.
Supported values:
- true
- false
- yes
- no
selrange

See the file type’s selrange documentation: docs.puppetlabs.com/references/latest/type.html#file-attribute-selrange
selrole

See the file type’s selrole documentation: docs.puppetlabs.com/references/latest/type.html#file-attribute-selrole
seltype

See the file type’s seltype documentation: docs.puppetlabs.com/references/latest/type.html#file-attribute-seltype
seluser

See the file type’s seluser documentation: docs.puppetlabs.com/references/latest/type.html#file-attribute-seluser
show_diff

Specifies whether to set the show_diff parameter for the file resource.
Supported values:
- true
- false
- yes
- no
signature_algorithm (defaults to: sha256)

The signature algorithm to use. The algorithms ‘md2`, `md4`, `md5`, `sha` and `sha1` are only included for backwards compatibility and should be considered insecure for new certificates.
Supported values:
- md2
- md4
- md5
- sha
- sha1
- sha224
- sha256
- sha384
- sha512
subject_key_identifier

The Subject Key Identifier extension. Normally the value ‘hash` is used when creating certificates.
subject_key_identifier_critical

Whether the Subject Key Identifier extension should be critical.
Supported values:
- true
- false