Resource Type: openssl_genpkey

Defined in:
lib/puppet/type/openssl_genpkey.rb
Providers:
openssl

Summary

Generate OpenSSL private key files

Overview

**This type is deprecated!**

Generate an OpenSSL private key file. The type creates RSA or Elliptic Curve keys depending on the parameter ‘algorithm`.

The key can optionally be encrypted using a supplied password. Encryption uses the ‘-passin` option when calling `openssl` so the password is not visible in the process listing.

The type is refreshable. The ‘openssl_genpkey` type will regenerate the key if the resource is notified from another resource.

Examples:

Generate a 2048 bit RSA key file


openssl_genpkey { '/tmp/rsa-2048.key':
  algorithm => 'RSA',
  bits      => '2048',
}

Generate AES encrypted Elliptic Curve private key


openssl_genpkey { '/tmp/ec-secp256k1.key':
  algorithm => 'EC',
  curve     => 'secp256k1',
  cipher    => 'aes128',
  password  => 'rosebud',
}

Regenerate the key if another file changes


openssl_genpkey { '/tmp/rsa-2048.key':
  algorithm => 'RSA',
  bits      => '2048',
  subscribe => File['/etc/ssl/key.trigger'],
}

Properties

  • ensure (defaults to: present)

    The basic property that the resource should be in.

    Supported values:
    • present
    • absent

Parameters

  • algorithm

    The algorithm to generate a private key for. The number of bits must be supplied if an RSA key is generated. For an EC key the curve name must be given

    Supported values:
    • RSA
    • EC
  • bits

    The number of bits for the RSA key. This parameter is mandatory for RSA keys.

    Supported values:
    • 2048
    • 3072
    • 4096
    • 5120
    • 6144
    • 7168
    • 8192
  • cipher

    Encrypt the key with the supplied cipher. A password must be given in this case.

  • curve

    The curve to use for elliptic curve key. This parameter is mandatory for EC keys.

    Supported values:
    • %r{^[a-zA-Z][a-zA-Z0-9-]+[0-9]$}
  • file

    The name of the private key file to manage.

  • password

    Use the supplied password when encrypting the key.

  • provider

    The specific backend to use for this ‘openssl_genpkey` resource. You will seldom need to specify this — Puppet will usually discover the appropriate provider for your platform.