OpenSSL Puppet Module

This module enables Puppet to manage PKI entities such as encryption keys, signing requests and X.509 certificates.

Setup

Include this module in a manifest:

contain openssl

By default, this will ensure OpenSSL and ca-certificates are installed.

Change the defaults to pin specific versions of the packages or keep them up to date:

class { 'openssl':
  package_ensure         => latest,
  ca_certificates_ensure => latest,
}

Usage

Create X.509 certificates

One of the most common use-cases is to generate a private key, a certificate signing request and issue a certificate. This can be done using the openssl::certificate::x509 defined type, e.g.:

openssl::certificate::x509 { 'hostcert':
  commonname => $facts['networking']['fqdn'],
}

This will create a series of resources, i.e. the private key in /etc/ssl/certs/hostcert.key, the certificate signing request in /etc/ssl/certs/hostcert.csr for the subject DN: CN=<fqdn> and the self-signed certificate stored in /etc/ssl/certs/hostcert.crt.

Note that openssl::certificate::x509 is a defined type that provides this abstract functionality by leveraging several other resources of the module, which are also available individually for more advanced use cases.

Create X.509 certificates from a hash

Include the openssl::certificates class in a node's manifest and set the certificates parameter - possibly via Hiera - to a hash of certificate definitions:

contain openssl::certificates

openssl::certificates:
  hostcert:
    commonname: "%{facts['networking']['fqdn']}"
  othercert:
    commonname: "other.example.com"
    owner: www-data

This will generate openssl::certificate::x509 instances for each key in the hash.

Export a key pair to PKCS#12

Use the openssl::export::pkcs12 defined type to generate a PKCS#12 file:

openssl::export::pkcs12 { 'foo':
  ensure   => 'present',
  basedir  => '/path/to/dir',
  pkey     => '/here/is/my/private.key',
  cert     => '/there/is/the/cert.crt',
  in_pass  => 'my_pkey_password',
  out_pass => 'my_pkcs12_password',
}

Export certificate(s) to PEM/x509 format

Use the openssl::export::pem_cert type to export PEM certificates from a pkcs12 container:

openssl::export::pem_cert { 'foo':
  ensure   => 'present',
  pfx_cert => '/here/is/my/certstore.pfx',
  pem_cert => '/here/is/my/cert.pem',
  in_pass  => 'my_pkcs12_password',
}

This definition exports PEM certificates from a DER certificate:

openssl::export::pem_cert { 'foo':
  ensure   => 'present',
  der_cert => '/here/is/my/certstore.der',
  pem_cert => '/here/is/my/cert.pem',
}

Export a key to PEM format

Use openssl::export::pem_key to export PEM key from a pkcs12 container:

openssl::export::pem_key { 'foo':
  ensure   => 'present',
  pfx_cert => '/here/is/my/certstore.pfx',
  pem_key  => '/here/is/my/private.key',
  in_pass  => 'my_pkcs12_password',
  out_pass => 'my_pkey_password',
}

Dynamic refresh of exported files

If you want Puppet to refresh the PKCS#12, PEM/x509 or PEM key file in case the input files changed, set the dynamic mode on and list desired resources for subscription:

openssl::export::pkcs12 { 'bar':
  ensure    => 'present',
  basedir   => '/path/to/dir',
  pkey      => '/here/is/my/private.key',
  cert      => '/there/is/the/cert.crt',
  dynamic   => true,
  resources => File['/here/is/my/private.key','/there/is/the/cert.crt'],
}

Create Diffie-Hellman parameters

The openssl::dhparam defined type and its back-end resource type dhparam allow to generate Diffie-Hellman parameters.

Simple usage of the Puppet type:

dhparam { '/path/to/dhparam.pem': }

Advanced options:

dhparam { '/path/to/dhparam.pem':
  size => 2048,
}

Or alternatively, using the defined type:

openssl::dhparam { '/path/to/dhparam.pem': }

which is equivalent to:

openssl::dhparam { '/path/to/dhparam.pem':
  ensure => 'present',
  size   => 512,
  owner  => 'root',
  group  => 'root',
  mode   => '0644',
}

Advanced usage:

openssl::dhparam { '/path/to/dhparam.pem':
  ensure => 'present',
  size   => 2048,
  owner  => 'www-data',
  group  => 'adm',
  mode   => '0640',
}

Create a private key

Using the ssl_pkey type allows to generate SSL private keys.

Note, that the private key is not encrypted by default[^1].

[^1]: In every case, not providing the password (or setting it to undef, which is the default) means that the private key won't be encrypted with any symmetric cipher so it is protected by filesystem access mode only.

Simple usage:

ssl_pkey { '/path/to/private.key': }

Advanced options:

ssl_pkey { '/path/to/private.key':
  ensure   => 'present',
  password => 'j(D$',
}

Create a certificate signing request

The x509_request type allows to generate SSL certificate signing requests from a private key. You need to deploy an OpenSSL configuration file containing a section for the request engine and reference it in template. You manage configuration files using the openssl::config defined type.

Simple usage:

x509_request { '/path/to/request.csr': }

Advanced options:

x509_request { '/path/to/request.csr':
  ensure      => 'present',
  password    => 'j(D$',
  template    => '/other/path/to/template.cnf',
  private_key => '/there/is/my/private.key',
  force       => false,
  subscribe   => '/other/path/to/template.cnf',
}

Create a certificate

Using the x509_cert type allows to generate SSL certificates. The default provider to this type can create self-signed certificates or use a certification authority - also deployed on the same host - to sign the certificate signing request.

Simple usage:

x509_cert { '/path/to/certificate.crt': }

Advanced options:

x509_cert { '/path/to/certificate.crt':
  ensure      => 'present',
  password    => 'j(D$',
  template    => '/other/path/to/template.cnf',
  private_key => '/there/is/my/private.key',
  days        => 4536,
  force       => false,
  subscribe   => '/other/path/to/template.cnf',
}

Get a certificate from a remote source

The cert_file type controls a file containing a serialized X.509 certificate. It accepts the source in either PEM or DER format and stores it in the desired serialization format to the file.

cert_file { '/path/to/certs/cacert_root1.pem':
  ensure => present,
  source => 'http://www.cacert.org/certs/root_X0F.der',
  format => pem,
}

Attributes:

• path (namevar): path to the file where the certificate should be stored
• ensure: present or absent
• source: the URL the certificate should be downloaded from
• format: the storage format for the certificate file (pem or der)

Functions

Accessing the CA issuers URL from a certificate

If a certificate contains the authorityInfoAccess extension, the openssl::cert_aia_caissuers function can be used to parse hte certificate for the authorityInfoAccess extension and return with the URL found as caIssuers, or nil if no URL or extension found. Invoking as deferred function, this can be used to download the issuer certificate:

  file { '/ssl/certs/caissuer.crt':
    ensure => file,
    source => Deferred('openssl::cert_aia_caissuers', ["/etc/ssl/certs/${facts['networking']['fqdn']}.crt"]),
  }

Contributing

Please report bugs and feature request using GitHub issue tracker.

For pull requests, it is very much appreciated to check your Puppet manifest with puppet-lint to follow the recommended Puppet style guidelines from the Puppet Labs style guide.

Transfer Notice

This plugin was originally authored by Camptocamp. The maintainer preferred that Puppet Community take ownership of the module for future improvement and maintenance. Existing pull requests and issues were transferred over, please fork and continue to contribute here instead of Camptocamp.

Previously: https://github.com/camptocamp/puppet-openssl

Reference

Table of Contents

Classes

• openssl: Installs openssl and ensures bundled certificate list is world readable
• openssl::certificates: Generates x509 certificates based on class parameters
• openssl::configs: Generates openssl.conf files using manually set defaults or defaults from openssl::config
• openssl::packages: Sets up packages for openssl

Defined types

• openssl::certificate::x509: Creates a certificate, key and CSR according to datas provided.
• openssl::config: Generates an openssl.conf file using defaults
• openssl::dhparam: Creates Diffie Helman parameters.
• openssl::export::pem_cert: Export certificate(s) to PEM/x509 format
• openssl::export::pem_key: Export a key to PEM format
• openssl::export::pkcs12: Export a key pair to PKCS12 format

Resource types

• cert_file: Manages X.509 certificate files downloaded from a source location, saved in the specified format.
• dhparam: A Diffie Helman parameter file
• ssl_pkey: An SSL private key
• x509_cert: An x509 certificate
• x509_request: An x509 certificate signing request

Functions

• openssl::cert_aia_caissuers: Extrating the caIssuers entry from Authority Information Access extension of X509 certificate
• openssl::cert_date_valid: Checks SSL cetificate date validity.

Classes

openssl

Installs openssl and ensures bundled certificate list is world readable

Examples

basic usage

class { 'openssl':
  package_name           => 'openssl-othername',
  package_ensure         => latest,
  ca_certificates_ensure => latest,
}

Parameters

The following parameters are available in the openssl class:

• package_name
• package_ensure
• ca_certificates_ensure

package_name

Data type: Optional[String[1]]

openssl package name

Default value: undef

package_ensure

Data type: String[1]

openssl package ensure

Default value: installed

ca_certificates_ensure

Data type: String[1]

ca-certificates package ensure

Default value: installed

openssl::certificates

Generates x509 certificates based on class parameters

Examples

basic usage

class { 'openssl::certificate':
  x509_certs => { '/path/to/certificate.crt' => {  ensure      => 'present',
                                                   password    => 'j(D$',
                                                   template    => '/other/path/to/template.cnf',
                                                   private_key => '/there/is/my/private.key',
                                                   days        => 4536,
                                                   force       => false,},
                  '/a/other/certificate.crt' => {  ensure      => 'present', },
                }
}

Parameters

The following parameters are available in the openssl::certificates class:

• x509_certs

x509_certs

Data type: Hash

Default value: {}

openssl::configs

Generates openssl.conf files using manually set defaults or defaults from openssl::config

Examples

basic usage

class { 'openssl::configs':
  country   => 'mycountry',
  conffiles => { '/path/to/openssl.conf' => { ensure       => 'present',
                                              commonname   => 'somewhere.org',
                                              organization => 'myorg' },
                 '/a/other/openssl.conf' => { ensure       => 'present',
                                              commonname   => 'somewhere.else.org',
                                              organization => 'myotherorg' },
                }
}

Parameters

The following parameters are available in the openssl::configs class:

• owner
• group
• mode
• country
• state
• locality
• organization
• unit
• email
• default_bits
• default_md
• default_keyfile
• basicconstraints
• extendedkeyusages
• keyusages
• subjectaltnames
• conffiles

owner

Data type: Optional[String[1]]

default owner for the configuration files

Default value: undef

group

Data type: Optional[String[1]]

default group for the configuration files

Default value: undef

mode

Data type: Optional[String[1]]

default mode for the configuration files

Default value: undef

country

Data type: Optional[String[1]]

default value for country

Default value: undef

state

Data type: Optional[String[1]]

default value for state

Default value: undef

locality

Data type: Optional[String[1]]

default value for locality

Default value: undef

organization

Data type: Optional[String[1]]

default value for organization

Default value: undef

unit

Data type: Optional[String[1]]

default value for unit

Default value: undef

email

Data type: Optional[String[1]]

default value for email

Default value: undef

default_bits

Data type: Optional[Integer]

default key size to generate

Default value: undef

default_md

Data type: Optional[String[1]]

default message digest to use

Default value: undef

default_keyfile

Data type: Optional[String[1]]

default name for the keyfile

Default value: undef

basicconstraints

Data type: Optional[Array]

default version 3 certificate extension basic constraints

Default value: undef

extendedkeyusages

Data type: Optional[Array]

default version 3 certificate extension extended key usage

Default value: undef

keyusages

Data type: Optional[Array]

default version 3 certificate extension key usage

Default value: undef

subjectaltnames

Data type: Optional[Array]

default version 3 certificate extension for alternative names currently supported are IP (v4) and DNS

Default value: undef

conffiles

Data type: Hash

config files to generate

Default value: {}

openssl::packages

Sets up packages for openssl

Defined types

openssl::certificate::x509

Creates a certificate, key and CSR according to datas provided.

Examples

basic usage

openssl::certificate::x509 { 'foo.bar':
  ensure       => present,
  country      => 'CH',
  organization => 'Example.com',
  commonname   => $fqdn,
  base_dir     => '/var/www/ssl',
  owner        => 'www-data',
}

This will create files "foo.bar.cnf", "foo.bar.crt", "foo.bar.key"
and "foo.bar.csr" in /var/www/ssl/.
All files will belong to user "www-data".

Those files can be used as is for apache, openldap and so on.

If you wish to ensure a key is read-only to a process:
set $key_group to match the group of the process,
and set $key_mode to '0640'.

Parameters

The following parameters are available in the openssl::certificate::x509 defined type:

• ensure
• country
• state
• locality
• commonname
• altnames
• extkeyusage
• organization
• unit
• email
• days
• base_dir
• key_size
• owner
• group
• key_owner
• key_group
• key_mode
• password
• force
• cnf_dir
• crt_dir
• csr_dir
• key_dir
• cnf
• crt
• csr
• key
• encrypted
• ca
• cakey
• cakey_password

ensure

Data type: Enum['present', 'absent']

ensure wether certif and its config are present or not

Default value: present

country

Data type: Optional[String]

certificate countryName

Default value: undef

state

Data type: Optional[String]

certificate stateOrProvinceName

Default value: undef

locality

Data type: Optional[String]

certificate localityName

Default value: undef

commonname

Data type: Optional[String]

certificate CommonName

Default value: undef

altnames

Data type: Array

certificate subjectAltName. Can be an array or a single string.

Default value: []

extkeyusage

Data type: Array

certificate extended key usage Value | Meaning ----------------|------------------------------------- serverAuth | SSL/TLS Web Server Authentication. clientAuth | SL/TLS Web Client Authentication. codeSigning | Code signing. emailProtection | E-mail Protection (S/MIME). timeStamping | Trusted Timestamping OCSPSigning | OCSP Signing ipsecIKE | ipsec Internet Key Exchange msCodeInd | Microsoft Individual Code Signing (authenticode) msCodeCom | Microsoft Commercial Code Signing (authenticode) msCTLSign | Microsoft Trust List Signing msEFS | Microsoft Encrypted File System

Default value: []

organization

Data type: Optional[String]

certificate organizationName

Default value: undef

unit

Data type: Optional[String]

certificate organizationalUnitName

Default value: undef

email

Data type: Optional[String]

certificate emailAddress

Default value: undef

days

Data type: Integer

certificate validity

Default value: 365

base_dir

Data type: Stdlib::Absolutepath

where cnf, crt, csr and key should be placed. Directory must exist

Default value: '/etc/ssl/certs'

key_size

Data type: Integer

Size of the key to generate.

Default value: 3072

owner

Data type: Variant[String, Integer]

cnf, crt, csr and key owner. User must exist

Default value: 'root'

group

Data type: Variant[String, Integer]

cnf, crt, csr and key group. Group must exist

Default value: 'root'

key_owner

Data type: Variant[String, Integer]

key owner. User must exist. defaults to $owner

Default value: $owner

key_group

Data type: Variant[String, Integer]

key group. Group must exist. defaults to $group

Default value: $group

key_mode

Data type: Stdlib::Filemode

key group.

Default value: '0600'

password

Data type: Optional[String]

private key password. undef means no passphrase will be used to encrypt private key.

Default value: undef

force

Data type: Boolean

whether to override certificate and request if private key changes

Default value: true

cnf_dir

Data type: Stdlib::Absolutepath

where cnf should be placed. Directory must exist, defaults to $base_dir.

Default value: $base_dir

crt_dir

Data type: Stdlib::Absolutepath

where crt should be placed. Directory must exist, defaults to $base_dir.

Default value: $base_dir

csr_dir

Data type: Stdlib::Absolutepath

where csr should be placed. Directory must exist, defaults to $base_dir.

Default value: $base_dir

key_dir

Data type: Stdlib::Absolutepath

where key should be placed. Directory must exist, defaults to $base_dir.

Default value: $base_dir

cnf

Data type: Stdlib::Absolutepath

override cnf path entirely. Directory must exist, defaults to $cnf_dir/$title.cnf

Default value: "${cnf_dir}/${name}.cnf"

crt

Data type: Stdlib::Absolutepath

override crt path entirely. Directory must exist, defaults to $crt_dir/$title.crt

Default value: "${crt_dir}/${name}.crt"

csr

Data type: Stdlib::Absolutepath

override csr path entirely. Directory must exist, defaults to $csr_dir/$title.csr

Default value: "${csr_dir}/${name}.csr"

key

Data type: Stdlib::Absolutepath

override key path entirely. Directory must exist, defaults to $key_dir/$title.key

Default value: "${key_dir}/${name}.key"

encrypted

Data type: Boolean

Flag requesting the exported key to be unencrypted by specifying the -nodes option during the CSR generation. Turning off encryption is needed by some applications, such as OpenLDAP. Defaults to true (key is encrypted)

Default value: true

ca

Data type: Optional[Stdlib::Absolutepath]

Path to CA certificate for signing. Undef means no CA will be provided for signing the certificate.

Default value: undef

cakey

Data type: Optional[Stdlib::Absolutepath]

Path to CA private key for signing. Undef mean no CAkey will be provided.

Default value: undef

cakey_password

Data type: Optional[Variant[Sensitive[String[1]], String[1]]]

Optional password that has encrypted the CA key.

Default value: undef

openssl::config

Generates an openssl.conf file using defaults

Examples

basic usage

openssl::config {'/path/to/openssl.conf':
  ensure       => 'present',
  commonname   => 'somewhere.org',
  country      => 'mycountry',
  organization => 'myorg',
}

Parameters

The following parameters are available in the openssl::config defined type:

• ensure
• commonname
• country
• organization
• owner
• group
• mode
• state
• locality
• unit
• email
• default_bits
• default_md
• default_keyfile
• basicconstraints
• extendedkeyusages
• keyusages
• subjectaltnames

ensure

Data type: Enum['absent','present']

ensure parameter for configfile; defaults to present

Default value: 'present'

commonname

Data type: Optional[Variant[String[1], Array[String[1]]]]

commonname for config file

Default value: undef

country

Data type: Optional[String[1]]

value for country

Default value: undef

organization

Data type: Optional[String[1]]

value for organization

Default value: undef

owner

Data type: Variant[String[1],Integer]

owner for the configuration file

Default value: 'root'

group

Data type: Variant[String[1],Integer]

group for the configuration file

Default value: 'root'

mode

Data type: Stdlib::Filemode

mode for the configuration file

Default value: '0640'

state

Data type: Optional[String[1]]

value for state

Default value: undef

locality

Data type: Optional[String[1]]

value for locality

Default value: undef

unit

Data type: Optional[String[1]]

value for unit

Default value: undef

email

Data type: Optional[String[1]]

value for email

Default value: undef

default_bits

Data type: Integer

key size to generate

Default value: 4096

default_md

Data type: String[1]

message digest to use

Default value: 'sha512'

default_keyfile

Data type: String[1]

name for the keyfile

Default value: 'privkey.pem'

basicconstraints

Data type: Array

version 3 certificate extension basic constraints

Default value: []

extendedkeyusages

Data type: Array

version 3 certificate extension extended key usage

Default value: []

keyusages

Data type: Array

version 3 certificate extension key usage

Default value: []

subjectaltnames

Data type: Array

version 3 certificate extension for alternative names currently supported are IP (v4) and DNS

Default value: []

openssl::dhparam

Creates Diffie Helman parameters.

Parameters

The following parameters are available in the openssl::dhparam defined type:

• path
• ensure
• size
• owner
• group
• mode
• fastmode

path

Data type: Stdlib::Absolutepath

path to write DH parameters to

Default value: $name

ensure

Data type: Enum['present', 'absent']

ensure whether DH paramers file is present or absent

Default value: present

size

Data type: Integer[1]

number of bits for the parameter set

Default value: 2048

owner

Data type: Variant[String, Integer]

file owner. User must exist

Default value: 'root'

group

Data type: Variant[String, Integer]

file group. Group must exist

Default value: 'root'

mode

Data type: String

file mode.

Default value: '0644'

fastmode

Data type: Boolean

Use "fastmode" for dhparam generation

Default value: false

openssl::export::pem_cert

Export certificate(s) to PEM/x509 format

Parameters

The following parameters are available in the openssl::export::pem_cert defined type:

• dynamic
• ensure
• resources
• pfx_cert
• der_cert
• pem_cert
• in_pass

dynamic

Data type: Boolean

dynamically renew certificate file

Default value: false

ensure

Data type: Enum['present', 'absent']

Whether the certificate file should exist

Default value: present

resources

Data type: Variant[Type, Array[Type]]

List of resources to subscribe to for certificate file renewal

Default value: []

pfx_cert

Data type: Optional[Stdlib::Absolutepath]

PFX certificate/key container

Default value: undef

der_cert

Data type: Optional[Stdlib::Absolutepath]

DER certificate

Default value: undef

pem_cert

Data type: Stdlib::Absolutepath

PEM/x509 certificate

Default value: $title

in_pass

Data type: Optional[String]

PFX password

Default value: undef

openssl::export::pem_key

Export a key to PEM format

Parameters

The following parameters are available in the openssl::export::pem_key defined type:

• pfx_cert
• pem_key
• dynamic
• ensure
• resources
• in_pass
• out_pass

pfx_cert

Data type: Stdlib::Absolutepath

PFX certificate/key container

pem_key

Data type: Stdlib::Absolutepath

PEM certificate

Default value: $title

dynamic

Data type: Boolean

dynamically renew key file

Default value: false

ensure

Data type: Enum['present', 'absent']

Whether the keyfile should exist

Default value: present

resources

Data type: Variant[Type, Array[Type]]

List of resources to subscribe to for key renewal

Default value: []

in_pass

Data type: Optional[String]

PFX container password

Default value: undef

out_pass

Data type: Optional[String]

PEM key password

Default value: undef

openssl::export::pkcs12

Export a key pair to PKCS12 format

Parameters

The following parameters are available in the openssl::export::pkcs12 defined type:

• basedir
• pkey
• cert
• dynamic
• ensure
• resources
• in_pass
• out_pass
• chaincert

basedir

Data type: Stdlib::Absolutepath

Directory where you want the export to be done. Must exists

pkey

Data type: Stdlib::Absolutepath

Private key

cert

Data type: Stdlib::Absolutepath

Certificate

dynamic

Data type: Boolean

dynamically renew PKCS12 file

Default value: false

ensure

Data type: Enum['present', 'absent']

Whether the PKCS12 file should exist

Default value: present

resources

Data type: Variant[Type, Array[Type]]

List of resources to subscribe to for PKCS12 renewal

Default value: []

in_pass

Data type: Optional[String]

Private key password

Default value: undef

out_pass

Data type: Optional[String]

PKCS12 password

Default value: undef

chaincert

Data type: Optional[String]

Chain certificate to include in pkcs12

Default value: undef

Resource types

cert_file

Manages X.509 certificate files downloaded from a source location, saved in the specified format.

Properties

The following properties are available in the cert_file type.

ensure

Valid values: present, absent

The basic property that the resource should be in.

Default value: present

Parameters

The following parameters are available in the cert_file type.

• format
• path
• provider
• source

format

Valid values: der, pem

Format in which the loaded certificate should be written to file.

Default value: pem

path

Path to the file to manage

provider

The specific backend to use for this cert_file resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform.

source

The source file

dhparam

A Diffie Helman parameter file

Properties

The following properties are available in the dhparam type.

ensure

Valid values: present, absent

The basic property that the resource should be in.

Default value: present

Parameters

The following parameters are available in the dhparam type.

• fastmode
• path
• provider
• size

fastmode

Enable fast mode

Default value: false

path

The path of the file

provider

The specific backend to use for this dhparam resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform.

size

Valid values: %r{\d+}

The key size

Default value: 512

ssl_pkey

An SSL private key

Properties

The following properties are available in the ssl_pkey type.

ensure

Valid values: present, absent

The basic property that the resource should be in.

Default value: present

Parameters

The following parameters are available in the ssl_pkey type.

• authentication
• curve
• password
• path
• provider
• size

authentication

Valid values: rsa, ec

The authentication algorithm

Default value: rsa

curve

The EC curve

Default value: secp384r1

password

The optional password for the key

path

The path to the key

provider

The specific backend to use for this ssl_pkey resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform.

size

Valid values: %r{\d+}

The key size for RSA keys

Default value: 2048

x509_cert

An x509 certificate

Properties

The following properties are available in the x509_cert type.

ensure

Valid values: present, absent

The basic property that the resource should be in.

Default value: present

Parameters

The following parameters are available in the x509_cert type.

• ca
• cakey
• cakey_password
• csr
• days
• force
• password
• path
• private_key
• provider
• req_ext
• template

ca

The optional ca certificate filepath

cakey

The optional ca private key filepath

cakey_password

The optional CA key password

csr

The optional certificate signing request path

days

Valid values: %r{\d+}

The validity of the certificate

Default value: 3650

force

Valid values: true, false

Whether to replace the certificate if the private key mismatches

Default value: false

password

The optional password for the private key

path

The path to the certificate

private_key

The path to the private key

provider

The specific backend to use for this x509_cert resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform.

req_ext

Valid values: true, false, yes, no

Whether adding v3 SAN from config

Default value: false

template

The template to use

x509_request

An x509 certificate signing request

Properties

The following properties are available in the x509_request type.

ensure

Valid values: present, absent

The basic property that the resource should be in.

Default value: present

Parameters

The following parameters are available in the x509_request type.

• encrypted
• force
• password
• path
• private_key
• provider
• template

encrypted

Valid values: true, false

Whether to generate the key unencrypted. This is needed by some applications like OpenLDAP

Default value: true

force

Valid values: true, false

Whether to replace the certificate if the private key mismatches

Default value: false

password

The optional password for the private key

path

The path of the certificate signing request

private_key

The path of the private key

provider

The specific backend to use for this x509_request resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform.

template

The template to use

Functions

openssl::cert_aia_caissuers

Type: Ruby 4.x API

Extract a X509 certificate for x509v3 extensions, search for Authority Information Access extension and return the contents caIssuers access method. For details see rfc5280#section-4.2.2.

Parameter: path to ssl certificate

openssl::cert_aia_caissuers(String $certfile)

Extract a X509 certificate for x509v3 extensions, search for Authority Information Access extension and return the contents caIssuers access method. For details see rfc5280#section-4.2.2.

Parameter: path to ssl certificate

Returns: Any contents of the caIssuers access method of authorityInfoAccess extension, or nil if not found

certfile

Data type: String

Path to the certificate to inspect

openssl::cert_date_valid

Type: Ruby 4.x API

Parameter: path to ssl certificate

openssl::cert_date_valid(String $certfile)

Parameter: path to ssl certificate

Returns: Any false if the certificate is expired or not yet valid,

certfile

Data type: String

The certificate file to check.

Changelog

All notable changes to this project will be documented in this file. Each new release typically also includes the latest modulesync defaults. These should not affect the functionality of the module.

v4.1.0 (2024-10-01)

Full Changelog

Implemented enhancements:

• Pass openssl commands as an array #225 (ekohl)

Fixed bugs:

• Correctly pass secrets via environment variables to avoid them being visible in process lists #228 (ekohl)

v4.0.0 (2024-07-19)

Full Changelog

Breaking changes:

• Drop DSA key support #222 (ekohl)
• password encryption: switch from des3->aes-256-cbc #221 (bastelfreak)
• Drop EoL CentOS 6,7,8 support #212 (bastelfreak)
• Drop EoL RedHat 6 and 7 support #211 (bastelfreak)
• Drop EoL Ubuntu 14.04,16.04,18.04 #208 (bastelfreak)
• Drop EoL Debian 8,9,10 support #207 (bastelfreak)
• Use OpenSSL::PKey.read to read private keys #190 (ekohl)

Implemented enhancements:

• Support OpenSSL 3 #223 (ekohl)
• Add Archlinux support #217 (bastelfreak)
• Add OracleLinux 8 & 9 support #216 (bastelfreak)
• Add Rocky Linux 8 & 9 support #215 (bastelfreak)
• Allow passing a CA key password when signing a cert #214 (bastelfreak)
• Add AlmaLinux 8 & 9 support #213 (bastelfreak)
• Add EL9 support #210 (bastelfreak)
• Add Ubuntu 22.04 support #209 (bastelfreak)
• Add Debian 12 support #206 (bastelfreak)
• Add Debian 11 support #205 (bastelfreak)
• Add basic acceptance tests for the existing examples #192 (ekohl)
• Add Ubuntu 24.04 support #191 (ekohl)
• Add Puppet 8 support #167 (bastelfreak)

Fixed bugs:

• Use private_key parameter when creating certificate #186 (vasilevalex)

v3.2.0 (2024-07-18)

Full Changelog

Implemented enhancements:

• feat: refreshable exports #202 (pavelkovtunov)

v3.1.1 (2024-07-11)

Full Changelog

Fixed bugs:

• r10k generate types fails #197
• export/{pem_cert,pem_key,pkcs12}: passin, passout: use shellquote() instead of single quotation marks #199 (pavelkovtunov)
• Add missing require so that generate types works. #198 (ncstate-daniel)
• fix logic bug with extkeyusage and altnames #195 (rtib)

v3.1.0 (2024-05-02)

Full Changelog

Implemented enhancements:

• Improve documentation #183 (rtib)

Fixed bugs:

• Release 3.0.0 broken #178
• Fix handling of request extensions in x509_cert type and provider #180 (rtib)
• Fix config template issues and add some improvements #179 (rtib)

v3.0.0 (2024-03-19)

Full Changelog

Breaking changes:

• Require puppetlabs-stdlib 9.x #165 (smortex)
• moves config management to config provider for X509 certificate; moves certificate from v1 to v3 #164 (zilchms)
• Drop Puppet 6 support #163 (zilchms)
• add puppet7 support; namespace all functions #162 (zilchms)
• enable single config file support #159 (zilchms)
• Enlarge key size based on new security requirement #143 (Vampouille)

Implemented enhancements:

• move from own regex to stdlib ip type adding ipv6 support for SANS #166 (zilchms)
• refactor x509_request to be consistent with x509_cert provider #155 (zilchms)
• add ability to certificate provider to get signed against a CA cert #153 (zilchms)
• Allow cert_file to download certificates via https #146 (rtib)

Fixed bugs:

• templates/cert.cnf.erb should use @, not $ #149 (mikerenfro)
• fix openssl_version on EL8 OpenSSL 1.1.1k #135 (fraenki)

Closed issues:

• Move on from puppet6 #161
• Bug/Maintenance in/for configuration templates #158

Merged pull requests:

• Remove legacy top-scope syntax #171 (smortex)
• Use puppet-strings comments #151 (smortex)

v2.0.1 (2022-03-09)

Full Changelog

Fixed bugs:

• incorrect behaviour of cert_aia_caissuers if file does not exists #126 (rtib)

Closed issues:

• openssl_version fact resolves to nil #134

Merged pull requests:

• Rework README.md/add correct badges #141 (bastelfreak)
• Tests: Use modern rspec syntax #140 (bastelfreak)
• puppet-lint: fix current violations #138 (bastelfreak)
• init: fix Puppet Strings docs syntax #137 (kenyon)
• puppet-lint: fix top_scope_facts warnings #133 (bastelfreak)
• allow stdlib 8.0.0 #130 (kenyon)

2.0.0 (2021-05-04)

Full Changelog

Breaking changes:

• update pdk, dependencies and requirements #125 (rtib)

Implemented enhancements:

• add cert_file type #124 (rtib)
• Allow DER certificates to be converted to PEM format #122 (n3mawashi)
• function to extract caIssuers URL from authorityInfoAccess extension #120 (rtib)
• Allow openssl_version regex to match more FIPS versions #112 (runejuhl)

Closed issues:

• Parameters for openssl.cnf #41

Merged pull requests:

• readd dependencies to class to generate configs #119 (trefzer)
• add autorequire for file path to all defined types #117 (trefzer)
• add class to generate configs #116 (trefzer)
• add support for OpenBSD #115 (trefzer)
• fix spec test, failing Time.now is not executed in same second #114 (trefzer)
• allow for numeric owner and group IDs for file resources #113 (kenyon)

1.14.0 (2020-03-05)

Full Changelog

Breaking changes:

• in_pass, out_pass and chaincert params to Optional[String] #111 (raphink)

Implemented enhancements:

• Update stdlib dependency #109 (treydock)

Closed issues:

• 1.13.0 introduced bug in openssl::export::pkcs12 #110

1.13.0 (2020-01-07)

Full Changelog

Implemented enhancements:

• Rubocop #108 (raphink)
• Port specs to rspec 3 #107 (raphink)
• Port cert_date_valid function to Puppet 4.x API #106 (raphink)
• Convert to PDK #105 (raphink)
• Manifests cleanup #104 (raphink)

1.12.0 (2019-04-17)

Full Changelog

Implemented enhancements:

• Add ability to generate Elliptic Curve key pairs #99 (fabbks)

1.11.0 (2019-03-01)

Full Changelog

Implemented enhancements:

• Ability to generate x509 certificates with extKeyUsage #96 (madchap)
• Add the x509_extensions directive to support SAN in certificate #89 (johnbillion)
• Changes to support unencrypted CSRs #84 (WetHippie)

Closed issues:

• dhparam doesn't work without 'ensure' #90
• Request for ability to create unencrypted private key #83
• Can't add SAN records #44

Merged pull requests:

• Fix spec tests #97 (coreone)
• Update dhparams example in README.md #92 (tlcowling)

1.10.0 (2017-04-18)

Full Changelog

Breaking changes:

• Make the $fastmode parameter for openssl::dhparam default to false. #86 (rpasing)
• Fastmode, Default Keysize increased, path defaults to name #80 (c33s)

Implemented enhancements:

• Data types #87 (raphink)
• Add definitions to export PEM cert/key from PKCS12 container #85 (michalmiddleton)

Closed issues:

• Add "fastmode" for dhparam generation #79
• Readme for dhparam wrong? #78

1.9.0 (2017-01-10)

Full Changelog

Implemented enhancements:

• handle refresh (RE: #71) #75 (gaima8)
• Check if there are matches before returning #74 (raphink)

Closed issues:

• x509_request doesn't handle refresh #71

Merged pull requests:

• Error: Unknown authentication type 'dsa' when setting authentication #72 (christophelec)

1.8.2 (2016-08-19)

Full Changelog

1.8.1 (2016-08-19)

Full Changelog

Closed issues:

• Error "failure to load inifile" resulting in failed Puppet run #63

Merged pull requests:

• Use Puppet::Util::Inifile instead of Inifile #73 (raphink)

1.8.0 (2016-08-18)

Full Changelog

Merged pull requests:

• Add argument key_size to openssl::certificate::x509 #55 (kronos-pbrideau)

1.7.2 (2016-06-29)

Full Changelog

Closed issues:

• dhparam generation fails #58

Merged pull requests:

• Fix validation of the size parameter #70 (mmalchuk)

1.7.1 (2016-03-30)

Full Changelog

Closed issues:

• Error: Facter: error while resolving custom fact "openssl_version" #62

Merged pull requests:

• fixes #62 - error resolving openssl_version on RHEL 6 #66 (mike-es)
• altnames can represent ip addresses #61 (garrettrowell)

1.7.0 (2016-03-18)

Full Changelog

Closed issues:

• Add openssl_version fact #57

Merged pull requests:

• Fixes #57 #60 (jyaworski)

1.6.1 (2016-02-22)

Full Changelog

Merged pull requests:

• Fix failure to load inifile causing Puppet agent to fail. #56 (olavmrk)

1.6.0 (2016-02-18)

Full Changelog

Implemented enhancements:

• dhparam: add #53 (josephholsten)
• Change cert existance logic #51 (sorrowless)

1.5.1 (2015-11-17)

Full Changelog

Implemented enhancements:

• packages: switch to stlib ensure_packages() to play nice with other modules which install ca-certificates #52 (josephholsten)
• Manage ca-certificates package on redhat too #49 (edestecd)

Closed issues:

• ca-certificates package is available in redhat also #47

1.5.0 (2015-09-23)

Full Changelog

Implemented enhancements:

• Make it easy to customize cnf/crt/csr/key paths #46 (robbat2)

1.4.0 (2015-09-15)

Full Changelog

Merged pull requests:

• Fix san use in certificate #50 (sorrowless)

1.3.10 (2015-08-21)

Full Changelog

Closed issues:

• No way to set desired openssl package version #35

Merged pull requests:

• Allow to set package version #48 (edestecd)

1.3.9 (2015-06-26)

Full Changelog

1.3.8 (2015-05-28)

Full Changelog

1.3.7 (2015-05-26)

Full Changelog

1.3.6 (2015-05-26)

Full Changelog

Merged pull requests:

• Add key_mode/group/owner parameters #45 (robbat2)

1.3.5 (2015-05-25)

Full Changelog

1.3.4 (2015-05-13)

Full Changelog

1.3.3 (2015-05-12)

Full Changelog

1.3.2 (2015-04-27)

Full Changelog

1.3.1 (2015-04-17)

Full Changelog

1.3.0 (2015-04-03)

Full Changelog

Closed issues:

• Google has depreciated sha1 for certs #36

Merged pull requests:

• templates/cert.cnf.erb: Use sha256 instead of sha1 by default #43 (lathiat)

1.2.8 (2015-03-24)

Full Changelog

1.2.7 (2015-03-10)

Full Changelog

Merged pull requests:

• Remove useless ca-certificates file management #38 (ckaenzig)

1.2.6 (2015-02-18)

Full Changelog

1.2.5 (2015-01-19)

Full Changelog

1.2.4 (2015-01-07)

Full Changelog

1.2.3 (2015-01-05)

Full Changelog

1.2.2 (2014-12-18)

Full Changelog

1.2.1 (2014-12-18)

Full Changelog

1.2.0 (2014-12-09)

Full Changelog

1.1.0 (2014-11-25)

Full Changelog

Closed issues:

• Generating pkcs12 Certificate #33

Merged pull requests:

• Pkcs12 modifications #34 (cjeanneret)

1.0.1 (2014-11-17)

Full Changelog

1.0.0 (2014-10-20)

Full Changelog

Closed issues:

• Improve doc to show how to generate password-free certs #30

Merged pull requests:

• Improvement in doc to show how to generate password-free certs #32 (atxulo)

0.3.2 (2014-09-23)

Full Changelog

0.3.1 (2014-07-04)

Full Changelog

Merged pull requests:

• Puppet 3 fixes, cleanup #31 (foonix)

0.3.0 (2014-07-02)

Full Changelog

Closed issues:

• RANDFILE not correct on ubuntu 12.04.04 #29
• Add the ability to specify the version of openssl that you want installed #24
• Push new version to the Forge #22
• Fix dependency issue with puppetlabs-stdlib (version number wrong) #17
• creating a cert doesn't include altnames #13

0.2.0 (2014-03-03)

Full Changelog

Closed issues:

• Replace has_variable? test with simple if @var test in templates/cert.cnf.erb #16
• incorrect check against undef in default template #15
• Wrong command called #1

Merged pull requests:

• Fix bug with x509_Request not having the cnf template present #28 (jrnt30)
• Document 'group' parameter #27 (pataquets)
• Add 'group' parameter to x509 certificate. #26 (pataquets)
• Added certificate signing request dependency on configuration template #25 (tylerwalts)
• Fix for issue 16 #21 (ghost)
• Ignore Gemfile.lock #20 (ghost)
• Deprecation warnings when running rake spec #19 (ghost)
• Deprecation warning when running bundle install #18 (ghost)
• Add cnf_tpl param to openssl::certificate::x509. #12 (Sliim)
• Fix puppet-lint link in README.md #11 (Sliim)
• Update Modulefile to work with other modules requiring stdlib #10 (LarsFronius)
• Add x509_cert and x509_csr types and providers #9 (raphink)
• Export pkcs12 without password #8 (raphink)
• openssl: added support for various distributions. #5 (mfournier)
• openssl::export::pkcs12 - new definition. name says it all #3 (cjeanneret)
• openssl::certificate::x509 - corrected call to script #2 (cjeanneret)

* This Changelog was automatically generated by github_changelog_generator