Defined Type: openssl::config

Defined in:
manifests/config.pp

Summary

Create OpenSSL config for a CSR

Overview

Examples:

Creating a config file for a CSR


openssl::config { '/etc/ssl/www.example.com.cnf':
  common_name        => 'www.example.com',
  extended_key_usage => [ 'serverAuth', 'clientAuth' ],
}

Parameters:

  • common_name (String)

    The value of the X.509 ‘CN` attribute. This attribute is mandatory.

  • config (Stdlib::Absolutepath) (defaults to: $name)

    The full path name of the OpenSSL configuration file that will be created. It contains a minimal set of configuration options that are needed to process a CSR.

  • subject_alternate_names_dns (Array[Stdlib::Fqdn]) (defaults to: [])

    An array of DNS names that will be added as subject alternate names using the ‘DNS` prefix. The certificate can be used for all names given in this list. Normally the common name should be in this list or the certificate may be rejected by modern web browsers.

  • subject_alternate_names_ip (Array[Stdlib::IP::Address]) (defaults to: [])

    An array of IP addresses that will be added as subject alternate names using the ‘IP` prefix. The certificate can be used for all IP addresses given in this list.

  • key_usage (Array[Openssl::Keyusage]) (defaults to: ['keyEncipherment', 'dataEncipherment'])

    The intended purposes of the certificate.

  • extended_key_usage (Array[Openssl::Extendedkeyusage]) (defaults to: ['serverAuth'])

    The extended key usage of the certificate.

  • basic_constraints_ca (Boolean) (defaults to: false)

    Whether the subject of the certificate is a CA.

  • owner (String) (defaults to: 'root')

    The file owner used for the resource.

  • group (Optional[String]) (defaults to: undef)

    The file group used for the resource.

  • country_name (Optional[String]) (defaults to: undef)

    The value of the X.509 ‘C` attribute.

  • state_or_province_name (Optional[String]) (defaults to: undef)

    The value of the X.509 ‘ST` attribute.

  • locality_name (Optional[String]) (defaults to: undef)

    The value of the X.509 ‘L` attribute.

  • postal_code (Optional[String]) (defaults to: undef)

    The value of the X.509 ‘PC` attribute.

  • street_address (Optional[String]) (defaults to: undef)

    The value of the X.509 ‘STREET` attribute.

  • organization_name (Optional[String]) (defaults to: undef)

    The value of the X.509 ‘O` attribute.

  • organization_unit_name (Optional[String]) (defaults to: undef)

    The value of the X.509 ‘OU` attribute.



66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
 
# File 'manifests/config.pp', line 66

define openssl::config (
  String                           $common_name,
  Stdlib::Absolutepath             $config                      = $name,
  Array[Stdlib::Fqdn]              $subject_alternate_names_dns = [],
  Array[Stdlib::IP::Address]       $subject_alternate_names_ip  = [],
  Array[Openssl::Keyusage]         $key_usage                   = ['keyEncipherment', 'dataEncipherment'],
  Array[Openssl::Extendedkeyusage] $extended_key_usage          = ['serverAuth'],
  Boolean                          $basic_constraints_ca        = false,
  String                           $owner                       = 'root',
  Optional[String]                 $group                       = undef,
  Optional[String]                 $country_name                = undef,
  Optional[String]                 $state_or_province_name      = undef,
  Optional[String]                 $locality_name               = undef,
  Optional[String]                 $postal_code                 = undef,
  Optional[String]                 $street_address              = undef,
  Optional[String]                 $organization_name           = undef,
  Optional[String]                 $organization_unit_name      = undef,
) {
  # The base class must be included first
  unless defined(Class['openssl']) {
    fail('You must include the openssl base class before using any openssl defined resources')
  }

  $use_subject_alternate_names =
    !empty($subject_alternate_names_dns) or !empty($subject_alternate_names_ip)

  $basic_constraints = bool2str($basic_constraints_ca, 'CA:true', 'CA:false')

  $params = {
    'default_bits'                => '2048',
    'default_md'                  => 'sha512',
    'common_name'                 => $common_name,
    'country_name'                => $country_name,
    'state_or_province_name'      => $state_or_province_name,
    'locality_name'               => $locality_name,
    'postal_code'                 => $postal_code,
    'street_address'              => $street_address,
    'organization_name'           => $organization_name,
    'organization_unit_name'      => $organization_unit_name,
    'key_usage'                   => $key_usage,
    'extended_key_usage'          => $extended_key_usage,
    'basic_constraints'           => $basic_constraints,
    'subject_alternate_names_dns' => $subject_alternate_names_dns,
    'subject_alternate_names_ip'  => $subject_alternate_names_ip,
    'use_subject_alternate_names' => $use_subject_alternate_names,
  }

  file { $config:
    ensure  => file,
    owner   => $owner,
    group   => pick($group, $openssl::root_group),
    mode    => '0600',
    content => epp("${module_name}/csr.conf.epp", $params),
  }
}