Resource Type: openssl_key
- Defined in:
- lib/puppet/type/openssl_key.rb
Summary
Create an OpenSSL private keyOverview
**This type is still beta!**
This type creates RSA or Elliptic Curve keys depending on the parameter ‘algorithm`.
The key can optionally be encrypted using a supplied password.
The type expects to find the “—–BEGIN PRIVATE KEY—–” token in the file or it will overwrite the file content with a new key.
The type is refreshable and will generate a new key if the resource is notified from another resource.
This type uses the Ruby OpenSSL library and does not need the ‘openssl` binary provided by the operating system.
Examples:
Generate a 2048 bit RSA key
openssl_key { '/etc/ssl/rsa-2048.key':
algorithm => 'RSA',
bits => 2048,
}Generate an Elliptic Curve key that is encrypted using AES128
openssl_key { '/etc/ssl/ec-secp256k1.key':
algorithm => 'EC',
curve => 'secp256k1',
cipher => 'aes128',
password => 'rosebud',
}Create a key and regenerate it if another resource changes
openssl_key { '/etc/ssl/rsa-2048.key':
algorithm => 'RSA',
bits => 2048,
subscribe => File['/etc/ssl/key.trigger'],
}Properties
-
ensure
(defaults to: present)
The basic property that the resource should be in.
Supported values:- present
- absent
Parameters
-
algorithm
(defaults to: RSA)
The algorithm to use when generating a private key. The number of bits must be supplied if an RSA key is generated. For an EC key the curve name must be given.
Supported values:- RSA
- EC
-
backup
Specifies whether (and how) to back up the destination file before overwriting it. Your value gets passed on to Puppet’s native file resource for execution. Valid options: true, false, or a string representing either a target filebucket or a filename extension beginning with “.”.
-
bits
(defaults to: 2048)
The number of bits for the RSA key. This parameter is mandatory for RSA keys. Keys with 1024 bits should only be used for specific applications like DKIM.
Supported values:- 1024
- 2048
- 3072
- 4096
- 5120
- 6144
- 7168
- 8192
-
cipher
Encrypt the key with the supplied cipher. A password must be given if this parameter is set.
-
curve
(defaults to: secp384r1)
The curve to use for elliptic curve key. This parameter is mandatory for EC keys. Consult your OpenSSL documentation to find out what curves are supported on your system. The following curves should be available for TLS 1.3 and earlier: ‘secp256r1`, `secp384r1`, `secp521r1`.
-
group
Specifies a permissions group for the destination file. Valid options: a string containing a group name or integer containing a gid.
-
mode
Specifies the permissions mode of the destination file. Valid options: a string containing a permission mode value in octal notation.
-
owner
Specifies the owner of the destination file. Valid options: a string containing a username or integer containing a uid.
-
password
Use the supplied password to encrypt the key. Setting only a password without a cipher creates an unprotected key.
-
path
Specifies the destination file. Valid options: a string containing an absolute path. Default value: the title of your declared resource.
-
selinux_ignore_defaults
See the file type’s selinux_ignore_defaults documentention: docs.puppetlabs.com/references/latest/type.html#file-attribute-selinux_ignore_defaults.
Supported values:- true
- false
- yes
- no
-
selrange
See the file type’s selrange documentation: docs.puppetlabs.com/references/latest/type.html#file-attribute-selrange
-
selrole
See the file type’s selrole documentation: docs.puppetlabs.com/references/latest/type.html#file-attribute-selrole
-
seltype
See the file type’s seltype documentation: docs.puppetlabs.com/references/latest/type.html#file-attribute-seltype
-
seluser
See the file type’s seluser documentation: docs.puppetlabs.com/references/latest/type.html#file-attribute-seluser
-
show_diff
Specifies whether to set the show_diff parameter for the file resource.
Supported values:- true
- false
- yes
- no