Forge Home


Manage system CA certificates


2,474 latest version

5.0 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 2.5.0 (latest)
  • 2.4.0
  • 2.3.2
  • 2.3.1
  • 2.3.0
  • 2.2.0
  • 2.1.5
  • 2.1.4
  • 2.1.2
  • 2.1.1 (deleted)
  • 2.1.0
  • 2.0.0
  • 1.8.0
  • 1.7.1
  • 1.7.0
  • 1.6.1
  • 1.6.0
  • 1.5.1
  • 1.5.0
  • 1.4.2
  • 1.4.1
  • 1.4.0
  • 1.3.0
  • 1.2.0
  • 1.1.1
  • 1.1.0
  • 1.0.0
  • 0.9.1
  • 0.9.0
  • 0.1.1
  • 0.1.0
released Oct 17th 2023
This version is compatible with:
  • Puppet Enterprise 2023.7.x, 2023.6.x, 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x, 2017.3.x, 2017.2.x, 2017.1.x, 2016.5.x, 2016.4.x
  • Puppet >= 4.0.0 < 9.0.0
  • , , , , Archlinux

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'pcfens-ca_cert', '2.5.0'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add pcfens-ca_cert
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install pcfens-ca_cert --version 2.5.0

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.



pcfens/ca_cert — version 2.5.0 Oct 17th 2023


Build Status


The ca_cert module tries to provide a simple way to manage Certificate Authority (CA) certificates on a Linux system. (Patches are welcome to help support other operating sytems)


After the ca_cert module has been declared add CA certificates with the ca_cert::ca definition.


ca_cert ensures that the locations and tools needed to manage the CAs are present on your system.

Optional parameters:

  • always_update_certs: Run your system's update CA command even when there are no updates needed. (defaults to false)
  • purge_unmanaged_CAs: Purge non-OS default CAs from the system. This will only remove CAs that might be installed using your OS's default management method. (defaults to false)
  • install_package: Whether or not this module should install the ca_certificates package. The package contains the default trusted (typically Mozilla) CA certificates, as well as the tools required for this module to manage other installed CA certificates. (defaults to true)
  • ca_certs: A hash of certificates you would like added. These may also be defined by declaring ca_cert::ca once for each certificate.
  • force_enable: For RHEL 6 and earlier. When set to true, creates backups of the legacy config, removes it, and creates symlinks to the new config.


CAs can be added as URLs, text, or a puppet managed file

ca_cert::ca { 'GlobalSign-OrgSSL-Intermediate':
  ensure => 'trusted',
  source => '',
ca_cert::ca { 'GlobalSign-OrgSSL-Intermediate':
  ensure => 'trusted',
  source => 'puppet:///modules/profiles/CAs/InCommon.crt',


  • ca_text: The text of the CA certificate to install. Required if text is the source (default). If a different source is specified this parameter is ignored.

  • source: Where the CA certificate should be retrieved from. text, http, https, ftp, file, and puppet protocols/sources are supported. If text, then the ca_text parameter is also required. Defaults to text.

          **Warning**: certificates delivered via http, https, or ftp won't be
          updated if the upstream source changes.
          **SLES 11 Specific Detail**: Cert File must be in `.pem` format
  • ensure: Whether or not the CA certificate should be on the system or not. Valid values are trusted, present, distrusted, and absent. Trusted is the same as present. On Debian systems untrusted is the same as absent. On RedHat based systems untrusted certificates are placed in a different path before calling the update command. (defaults to trusted)

  • verify_https_cert: If a certificate is retrieved over HTTPS, whether or not the server's certificate should be validated against the fetching machine's trusted CA list or not. (defaults to true)

  • checksum: The file will be downloaded if the checksum does not match this value. See the checksum parameter at lwf/puppet-remote_file for details.

Supported Platforms

This module has been tested on Ubuntu 14.04, Ubuntu 12.04, CentOS 6, SLES 11, SLES 12, OpenSuSE 13.1, OpenSuSE 13.2 and OpenSuSE 42.1 Leap.