Forge Home


Manage TLS data (private keys, certificates)


156 latest version

5.0 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 0.8.0 (latest)
  • 0.7.0
  • 0.6.1
  • 0.6.0 (deleted)
  • 0.5.0
  • 0.4.0
  • 0.3.7
  • 0.3.6
  • 0.3.5
  • 0.3.4 (deleted)
  • 0.3.3 (deleted)
released Sep 29th 2023
This version is compatible with:
  • Puppet Enterprise 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x
  • Puppet >= 5.5.0 < 9.0.0
  • cfssl
  • update

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'aursu-tlsinfo', '0.8.0'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add aursu-tlsinfo
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install aursu-tlsinfo --version 0.8.0

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.



aursu/tlsinfo — version 0.8.0 Sep 29th 2023


Table of Contents

  1. Description
  2. Setup - The basics of getting started with tlsinfo
  3. Usage - Configuration options and additional functionality
  4. Limitations - OS compatibility, etc.


tlsinfo module rpovide ability to manage x509 certificates and private keys on server node with proper validation checking (over dates, CA issuers, common names etc)

Also there is tlsinfo::tools::cfssl which installs CloudFlare CF SSL toolkits into /usr/local/bin

There are useful defined types provided:

  • tlsinfo::certpair
  • tlsinfo::certificate

See for details


Beginning with tlsinfo

Module provides two custom types:

sslkey { '/etc/pki/tls/private/':
  ensure   => present,
  password => 'SecureSecret',
  path     => '/etc/pki/tls/private/',
  replace  => true,
  content  => lookup('www_domain_com_private', String, 'first'),


sslcertificate { '':
  ensure   => present,
  path     => '/etc/pki/tls/certs/',
  pkey     => '/etc/pki/tls/private/',
  cacert   => true,
  replace  => true,
  chain    => true,
  strict   => true,
  identity => ['', ''],
  content  => lookup('www_domain_com_certificate', String, 'first'),


sslkey title

Must be full path to private key because Sslcertificate[pkey] has requirement to be absolute path.


Default value is present

If defined as absent - private key file will be removed by unlink()


Encrypted private key password. Must be a String or nil (undef). Can not be empty string.


Absolute path to Private key file. It is namevar parameter (set to title value if not specified). Required parameter.


Boolean. Default value is true.

If true than content value will replace existing private key file. Otherwise - noop.


String. Required parameter

Must not be empty. Should be valid RSA private key in DER or PEM encoding form. Key size must be greate or equal 2048 bits


SSL certificate provided via content parameter will be checked over pkey private key.

sslcertificate title

By default it should be full path to certificate file (eg /etc/pki/tls/certs/4f06f81d.pem) but not neccesarry.

Could be any string.

Sslcertificate type applies title pattern to get name variable parameter path. Therefore path if not defined will be set to title value (trimming last hashes /)


Default value is present

If defined as absent - certificate file will be removed by unlink()

sslcertificate::subject_hash (readonly)

Represent certificate subject hash openssl x509 -subject_hash

sslcertificate::subject_hash_old (readonly)

Represent certificate subject old hash openssl x509 -subject_hash_old


Absolute path to certificate file. It is namevar parameter (set to title value if not specified). Required parameter.


Absolute path to Private key file. Required parameter.

Puppet catalog should consist Sslkey resource with title that match pkey parameter.


Default value: undef

Possible values are:

  • true (Intermediate CA should be defined in Puppet catalog as Sslcertificate resource),
  • false (we don't care about Intermediate CA),
  • String. Any of certificate path, Sslcertificate resource title, certificate subject hash (openssl x509 -subject_hash) or old hash (openssl x509 -subject_hash_old). Should be defined in Puppet catalog as Sslcertificate resource
  • Array of strings (list of CA certificates)


Boolean. Default value is true.

If true than content value will replace existing certificate file. Otherwise - noop.


Boolean. Default is true

If true than Intermediate CA certificate will be placed into PEM file.


Boolean. Default is false

If true than content of Root CA will be included into PEM file if CA bundle exists on host This option is useful for self-signed CA


Boolean. Default is true

If true and cacert specified than cert chain will be checked over root certificate bundle (catalog compilation will fail if CA certificate is not valid)


Certificate identities. Could be String or list of strings

Each identity will be checked over Common Name or Alternative Names (DNS). If any of them missed - resource compilation will fail.


Certificate PEM data. Required parameter. Can not be empty

It should be valid x509 certificate with valid term of validity


It is required to include tlsinfo module into current scope to make parmeters tlsinfo::certbase and tlsinfo::keybase available

include tlsinfo


  tlsinfo::certificate { 'LetsEncryptAuthorityX3':
    cert => file('profile/certs/LetsEncryptAuthorityX3.crt'),

  $server_name = ''
  tlsinfo::certpair { $server_name:
    identity => true,

  # get certificate data from Hiera
  $certdata = tlsinfo::lookup($server_name)

  $ssl_cert_path = tlsinfo::certpath($certdata)
  $ssl_key_path = tlsinfo::keypath($certdata)

  class { 'profile::registry::nginx':
    server_name      => $server_name,
    ssl              => true,
    ssl_cert         => $ssl_cert_path,
    ssl_key          => $ssl_key_path,
    require          => Tlsinfo::Certpair[$server_name],

In this example defined type Tlsinfo::Certificate will create certificate /etc/pki/tls/certs/4f06f81d.pem (4f06f81d is a certificate subject hash).

Tlsinfo::Certpair will look for registry_domain_com_certificate and registry_domain_com_private keys through Hiera (this behavior defined by function tlsinfo::lookup).

It will define certpair Sslcertificate[/etc/pki/tls/certs/] and Sslkey[/etc/pki/tls/private/].

By default certificate file /etc/pki/tls/certs/ will consists Intermediate CA certificate on the bottom if such Intermediate CA certificate exists in Puppet catalog (defined via Tlsinfo::Certificate)

Path to certificate could be get via function tlsinfo::certpath and path to private key - via tlsinfo::keypath




Module uses Ruby library 'openssl'

For unknown reasons this library has unpredicted behavior like:

1) returns old hash instead of new (for certificate Subject and Issuer fields) therefore both hashes in use for certificates lookup 2) returns negative (signed) values for Subject and Issuer hashes (eg -ece330c instead of f131ccf4)

Therefore it is better to use module functions for default path calculation (tlsinfo::certpath and tlsinfo::keypath)