Resource Type: openssl_signcsr

Defined in:: lib/puppet/type/openssl_signcsr.rb

Providers:: openssl

Summary

Sign OpenSSL certificate signing request using a CA

Overview

**This type is deprecated!**

The name and configuration file of a CA is required.

Certificate extensions can be added by using the ‘extensions` and `extfile` parameters.

Optionally a key password can be provided if the used key is encrypted.

The certificate will be valid for the given number of days.

The type is refreshable. The ‘openssl_signcsr` type will regenerate the certificate if the resource is notified from another resource.

Examples:

Use a CA to sign a CSR


openssl_signcsr { '/tmp/cert.crt':
  csr       => '/tmp/cert.csr',
  ca_name   => 'My-Root-CA',
  ca_config => '/etc/ssl/CA.cnf',
  days      => '365',
}

Regenerate a certificate if the CSR changes


openssl_signcsr { '/tmp/cert.crt':
  csr       => '/tmp/cert.csr',
  ca_name   => 'My-Root-CA',
  ca_config => '/etc/ssl/CA.cnf',
  subscribe => File['/tmp/cert.csr'],
}

Properties

ensure (defaults to: present)

The basic property that the resource should be in.
Supported values:
- present
- absent

Parameters

ca_config

Required. The configuration file of the CA that is used to sign the CSR.
ca_name

Required. The name of the CA that is used to sign the CSR.
csr

Required. The file containing the certificate signing request.
days (defaults to: 370)

The number of days the certificate should be valid.
Supported values:
- %r{^[0-9]+$}
extensions

The section name of the extensions. The OpenSSL defaults will be used if the parameter is ‘undef`.
extfile

The file with the certificate extensions.
file

The signed certificate file to manage.
password

The password to decrypt the CA key. Leave the parameter undefined if the key is not encrypted.
provider

The specific backend to use for this ‘openssl_signcsr` resource. You will seldom need to specify this — Puppet will usually discover the appropriate provider for your platform.