Version information
This version is compatible with:
- , , , , ,
Start using this module
Add this module to your Puppetfile:
mod 'jlambert121-trusted_ca', '1.1.0'Learn more about managing modules with a PuppetfileDocumentation
Table of Contents
- Overview
- Module Description - What the module does and why it is useful
- Setup - The basics of getting started with trusted_ca
- Usage - Configuration options and additional functionality
- Reference - An under-the-hood peek at what the module is doing and how
- Limitations - OS compatibility, etc.
- Development - Guide for contributing to the module
- Changelog/Contributors
Overview
A puppet module to manage the distribution's trusted certificates and install trusted SSL certificates into the system's trusted keystore and java's keystore's.
Module Description
Many organizations use self-signed SSL certificates for internal services that need to be trusted by other hosts. This puppet module will install SSL certificates into a host's system-wide trusted CA files (which are used by distribution-provided java packages) as well as a define for installing certificates into java installations not provided by the distribution.
Setup
What trusted_ca affects
- Distribution-provided trusted SSL certificates package
- System-wide additional trusted SSL certificates
- SSL certificates installed into java trusted certificate keystore
Beginning with trusted_ca
To install trusted_ca
puppet module install jlambert121-trusted_ca
Dependencies:
- puppetlabs/stdlib
Usage
Manage only distribution-specific trusted certificates
class { 'trusted_ca': }
Install a self-signed SSL certificate into the system's global trusted keystore from a source file
class { 'trusted_ca': }
trusted_ca::ca { 'mycompany.org':
source => 'puppet:///ssl/mycompany.org.crt',
}
Install a self-signed SSL certificate into a java keystore from a source file
class { 'trusted_ca': }
trusted_ca::java { 'mycompany.org':
source => 'puppet:///ssl/mycompany.org/crt',
java_keystore => '/usr/local/java/lib/security/cacerts',
}
Install a certificate into the system's global trusted keystore from a PEM-encoded string (eg from hiera)
class { 'trusted_ca': }
trusted_ca::ca { 'example.net':
content => hiera("example-net-x509"),
}
Reference
Public classes
trusted_ca
certificates_version
String. Version of the distribution-specific trusted certificates. Examples would be 'latest' or a specific version.
certs_package
String. Package name of the distribution-specific trusted certificates. Default is OS/Distribution specific.
path
String/Array of String. List of paths for the update_command.
install_path
String. Location to install the trusted certificates.
update_command
String. Command to rebuild the system-trusted certificates.
certfile_suffix
String. Suffix of certificate files. Default is OS/Distribution dependent, i.e. 'pem' or 'crt'.
Public defines
trusted_ca::ca
source
String. Source of the certificate to include. Must be a file in PEM format with crt extension. You must specify either source or content, but not both. If source is specified, content is ignored.
content
String. Content of certificate in PEM format. You must specify either source or content, but not both. If source is specified, content is ignored.
install_path
String. Destination of the certificate file for processing. Defaults to the install_path from the class, but can be overridden per certificate.
certfile_suffix
String. Suffix of certificate files. Default is OS/Distribution dependent, i.e. 'pem' or 'crt'.
trusted_ca::java
source
String. Source of the certificate to include. Must be a file in PEM format with crt extension. You must specify either source or content, but not both. If source is specified, content is ignored.
content
String. Content of certificate in PEM format. You must specify either source or content, but not both. If source is specified, content is ignored.
java_keystore
String. Location of of the java cacerts keystore file.
Private classes
- trusted_ca::params: Defaults for the trusted_ca module
Limitations
Tested on:
- CentOS 6, 7
- Ubuntu Server 10.04, 12.04, 14.04
- SLES 11 SP3
- OpenSuSE 13.1
This module assumes the keytool and openssl utilities are available.
Development
Improvements and bug fixes are greatly appreciated. See the contributing guide for information on adding and validating tests for PRs.
Changelog / Contributors
20160225 v1.1.0 Add support for SLES 12, Ubuntu 15.10 Renamed from evenup to jlambert121 20151019 v1.0.1 Fix relationship with jks 20150108 v1.0.0 Rewrote module to use system methods for trusted certificates Add separate java define for java keystores Add acceptance tests Remove dependency on puppetlabs/concat 20141219 v0.3.0 Allow specifying java_keystore file Doc fixes 20140815 v0.2.0 Update certificate install method 20130913 v0.1.2 Java class required for keytool 20130912 v0.1.1 Fix path 20130912 v0.1.0 Add ability to add CA to java keyfile Spec updates v0.0.2: Fix documentation v0.0.1: Initial release
Dependencies
- puppetlabs/stdlib (>=3.2.0 <5.0.0)
Copyright 2013 EvenUp Inc
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.