Manage X509 certificates
New in version Beryllium.
salt.modules.x509.
create_certificate
(path=None, text=False, ca_server=None, **kwargs)¶Create an X509 certificate.
True
, return the PEM text without writing to a file. Default False
.Request a remotely signed certificate from ca_server. For this to work, a signing_policy
must
be specified, and that same policy must be configured on the ca_server. See signing_policy
for
details. Also the salt master must permit peers to call the sign_remote_certificate
function.
Example:
/etc/salt/master.d/peer.conf
peer:
.*:
- x509.sign_remote_certificate
Any of the values below can be incldued to set subject properties Any other subject properties supported by OpenSSL should also work.
signing_cert
, public_key
, or csr
are included, it will be assumed that
this is a self-signed certificate, and the public key matching signing_private_key
will
be used to create the certificate.public_key
or csr
are
specified, it will be assumed that this is a self-signed certificate, and the public key
derived from signing_private_key
will be used. Specify either public_key
or csr
,
not both. Because you can input a CSR as a public key or as a CSR, it is important to understand
the difference. If you import a CSR as a public key, only the public key will be added
to the certificate, subject or extension information in the CSR will be lost.The following arguments set X509v3 Extension values. If the value starts with ``critical ``, the extension will be marked as critical
Some special extensions are subjectKeyIdentifier
and authorityKeyIdentifier
.
subjectKeyIdentifier
can be an explicit value or it can be the special string hash
.
hash
will set the subjectKeyIdentifier equal to the SHA1 hash of the modulus of the
public key in this certificate. Note that this is not the exact same hashing method used by
OpenSSL when using the hash value.
authorityKeyIdentifier
Use values acceptable to the openssl CLI tools. This will
automatically populate authorityKeyIdentifier
with the subjectKeyIdentifier
of
signing_cert
. If this is a self-signed cert these values will be the same.
notAfter
property
of the certificate. Defaults to 365.version=3
sets the certificate version field to 0x2.serial_bits
is generated.A signing policy that should be used to create this certificate. Signing policies should be defined
in the minion configuration, or in a minion pillar. It should be a yaml formatted list of arguments
which will override any arguments passed to this function. If the minions
key is included in
the signing policy, only minions matching that pattern will be permitted to remotely request certificates
from that policy.
Example:
x509_signing_policies:
www:
- minions: 'www*'
- signing_private_key: /etc/pki/ca.key
- signing_cert: /etc/pki/ca.crt
- C: US
- ST: Utah
- L: Salt Lake City
- basicConstraints: "critical CA:false"
- keyUsage: "critical cRLSign, keyCertSign"
- subjectKeyIdentifier: hash
- authorityKeyIdentifier: keyid,issuer:always
- days_valid: 90
- copypath: /etc/pki/issued_certs/
The above signing policy can be invoked with signing_policy=www
CLI Example:
salt '*' x509.create_certificate path=/etc/pki/myca.crt \
signing_private_key='/etc/pki/myca.key' csr='/etc/pki/myca.csr'}
salt.modules.x509.
create_crl
(path=None, text=False, signing_private_key=None, signing_cert=None, revoked=None, include_expired=False, days_valid=100)¶Create a CRL
Depends: |
|
---|
True
, return the PEM text without writing to a file. Default False
.A list of dicts containing all the certificates to revoke. Each dict represents one
certificate. A dict must contain either the key serial_number
with the value of
the serial number to revoke, or certificate
with either the PEM encoded text of
the certificate, or a path ot the certificate to revoke.
The dict can optionally contain the revocation_date
key. If this key is ommitted
the revocation date will be set to now. If should be a string in the format "%Y-%m-%d %H:%M:%S".
The dict can also optionally contain the not_after
key. This is redundant if the
certificate
key is included. If the Certificate
key is not included, this
can be used for the logic behind the include_expired
parameter.
If should be a string in the format "%Y-%m-%d %H:%M:%S".
The dict can also optionally contain the reason
key. This is the reason code for the
revocation. Available choices are unspecified
, keyCompromise
, CACompromise
,
affiliationChanged
, superseded
, cessationOfOperation
and certificateHold
.
False
.CLI Example:
salt '*' x509.create_crl path=/etc/pki/mykey.key signing_private_key=/etc/pki/ca.key \
signing_cert=/etc/pki/ca.crt \
revoked="{'compromized-web-key': {'certificate': '/etc/pki/certs/www1.crt', \
'revocation_date': '2015-03-01 00:00:00'}}"
salt.modules.x509.
create_csr
(path=None, text=False, **kwargs)¶Create a certificate signing request.
True
, return the PEM text without writing to a file. Default False
.x509.create_certificate
can be used.CLI Example:
salt '*' x509.create_csr path=/etc/pki/myca.csr public_key='/etc/pki/myca.key' CN='My Cert
salt.modules.x509.
create_private_key
(path=None, text=False, bits=2048)¶Creates a private key in PEM format.
path
or text
are required.True
, return the PEM text without writing to a file. Default False
.CLI Example:
salt '*' x509.create_private_key path=/etc/pki/mykey.key
salt.modules.x509.
get_pem_entries
(glob_path)¶Returns a dict containing PEM entries in files matching a glob
CLI Example:
salt '*' x509.read_pem_entries "/etc/pki/*.crt"
salt.modules.x509.
get_pem_entry
(text, pem_type=None)¶Returns a properly formatted PEM string from the input text fixing any whitespace or line-break issues
CLI Example:
salt '*' x509.get_pem_entry "-----BEGIN CERTIFICATE REQUEST-----MIICyzCC Ar8CAQI...-----END CERTIFICATE REQUEST"
salt.modules.x509.
get_private_key_size
(private_key)¶Returns the bit length of a private key in PEM format.
CLI Example:
salt '*' x509.get_private_key_size /etc/pki/mycert.key
salt.modules.x509.
get_public_key
(key)¶Returns a string containing the public key in PEM format.
CLI Example:
salt '*' x509.get_public_key /etc/pki/mycert.cer
salt.modules.x509.
get_signing_policy
(signing_policy_name)¶Returns the details of a names signing policy, including the text of the public key that will be used to sign it. Does not return the private key.
CLI Example:
salt '*' x509.get_signing_policy www
salt.modules.x509.
read_certificate
(certificate)¶Returns a dict containing details of a certificate. Input can be a PEM string or file path.
CLI Example:
salt '*' x509.read_certificate /etc/pki/mycert.crt
salt.modules.x509.
read_certificates
(glob_path)¶Returns a dict containing details of a all certificates matching a glob
CLI Example:
salt '*' x509.read_certificates "/etc/pki/*.crt"
salt.modules.x509.
read_crl
(crl)¶Returns a dict containing details of a certificate revocation list. Input can be a PEM string or file path.
Depends: |
|
---|
CLI Example:
salt '*' x509.read_crl /etc/pki/mycrl.crl
salt.modules.x509.
read_csr
(csr)¶Returns a dict containing details of a certificate request.
Depends: |
|
---|
CLI Example:
salt '*' x509.read_csr /etc/pki/mycert.csr
salt.modules.x509.
sign_remote_certificate
(argdic, **kwargs)¶Request a certificate to be remotely signed according to a signing policy.
CLI Example:
salt '*' x509.sign_remote_certificate argdic="{'public_key': '/etc/pki/www.key', \
'signing_policy': 'www'}" __pub_id='www1'
salt.modules.x509.
verify_crl
(crl, cert)¶Validate a CRL against a certificate. Parses openssl command line output, this is a workaround for M2Crypto's inability to get them from CSR objects.
CLI Example:
salt '*' x509.verify_crl crl=/etc/pki/myca.crl cert=/etc/pki/myca.crt
salt.modules.x509.
verify_private_key
(private_key, public_key)¶Verify that 'private_key' matches 'public_key'
CLI Example:
salt '*' x509.verify_private_key private_key=/etc/pki/myca.key public_key=/etc/pki/myca.crt
salt.modules.x509.
verify_signature
(certificate, signing_pub_key=None)¶Verify that certificate
has been signed by signing_pub_key
CLI Example:
salt '*' x509.verify_private_key private_key=/etc/pki/myca.key public_key=/etc/pki/myca.crt
salt.modules.x509.
write_pem
(text, path, pem_type=None)¶Writes out a PEM string fixing any formatting or whitespace issues before writing.
CERTIFICATE
or PUBLIC KEY
. Adding this
will allow the function to take input that may contain multiple pem types.CLI Example:
salt '*' x509.write_pem "-----BEGIN CERTIFICATE-----MIIGMzCCBBugA..." path=/etc/pki/mycert.crt