Forge Home


Installs trusted PEM anchors into the system bundle.




455 latest version

5.0 quality score

Version information

  • 1.1.7 (latest)
  • 1.1.6
  • 1.1.5
  • 1.1.4
  • 1.1.3
  • 1.1.2
  • 1.1.1
  • 1.1.0
  • 1.0.1
  • 1.0.0
released Apr 26th 2021
This version is compatible with:
  • Puppet Enterprise 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x
  • Puppet >= 5.5.0 < 7
  • CentOS
  • rebuild

Start using this module


phoenixnap/ca_trust — version 1.1.7 Apr 26th 2021


Table of Contents


Manage CA Trust anchors within the ca-certificates framework.

Supported Platforms

  • RedHat & Derivatives >= 6.x
  • Debian & Derivatives >= 8.x
  • Fedora >= 25

Note: RedHat 6, and deriviates, alongside Debian 8 are now depricated. The EOL of these products is less than a year away. Support for these products will be removed when they reach end of life.

CentOS 8 and Ubuntu 20 do not yet undergo acceptance testing. All other testing applies, but beaker is not yet ready to support these platforms.

Module Description

The ca_trust module is for managing additions to the root CA bundle supplied by OS vendors. Used by applications to establish trust, the root CA bundle is usually shipped containing only 3rd party or commercial CA certificates. Administrators are expected to add their own internal or self signed certificates to the OS vendor supplied bundles as needed.

The module currently supports adding PEM encoded CA anchors.


To prepare supported operating systems to receive new trusted CA anchors.

include ca_trust

To do the same, but include non-standard options.

class { '::ca_trust':
  cert_dir => '/some/other/directory',

See [Reference](REFERENCE#ca_trust) for all options supported by the main class.


On supported operating systems, the [Setup](#setup) process is entirely unnecessary, simply begin by declaring any [ca_trust::pem::anchors](#pem-anchors) necessary.

If things need to be customized, then the ca_trust main class can be specified explicitly, like it is in the [Setup](#setup) section. Alternatively, the ca_trust main class may be customized via hiera.

# Hiera YAML file.
# Use some other command to update root bundle certificates instead of
# OS default.
ca_trust::update_cmd: /some/other/binary
# Puppet profile.

include ca_trust

Legacy PEM Anchors

To install new CA certificates into the operating system's trusted bundle, use the ca_trust::pem::anchor type. When specifying anchors, do not specify the filename extension (.crt, .pem, etc.). Some platforms are picky about the extension used, so the module will choose the appropriate default for the platform. For instance, Debian expects the certificates to end in .crt.

ca_trust::pem::anchor { 'self-signed':
  source => 'puppet:///modules/profile/node-one/self-signed-cert.pem',

ca_trust::pem::anchor { 'expired-cert':
  ensure => 'absent',

ca_trust::pem::anchor { 'My Company\'s Internal CA':
  source   => 'puppet:///modules/profile/organization-ca.pem',
  filename => 'org-ca',

$cert_data = @(EOT)
...blah blah blah, PEM encoded certificate here....

ca_trust::pem::anchor { 'Org-CA':
  content => $cert_data,

For convienience you may also specify any anchors you'd like when you declare the ca_trust class, if you are doing so explicitly.

class { '::ca_trust':
  update_cmd => '',
  anchors    => {
    'org-ca' => {
      'source' => 'puppet:///modules/profile/my-company-ca.pem',
    'expired-ca' => {
      'ensure' => 'absent',

Anchors from Hiera

The class ca_trust::pem::anchors is included for hiera convienience. With it, you may pass in a hash of ca_trust::pem::anchor resources to manage.

# Node's hiera yaml.
    source: puppet:///modules/profile/my-company-ca.pem
    ensure: absent
    content: >
      ----- BEGIN CERTIFICATE ------
      .... cert data here .....
      ----- END CERTIFICATE -----


The following facts are exposed.

trust_bundle - On supported operating systems this fact resolves to the path of the system-wide trusted CA bundle. bundled_authorities - This fact exposes pertinent information for each certificate in the bundle. It returns a hash, keyed on fingerprint.


$:facts['bundled_authorities'] = {
  b561ebeaa4dee4254b691a98a55747c234c7d971 => {
    subject => "/C=SK/L=Bratislava/O=Disig a.s./CN=CA Disig Root R2",
    issuer => "/C=SK/L=Bratislava/O=Disig a.s./CN=CA Disig Root R2",
    not_before => "2012-07-19 09:15:30 UTC",
    not_after => "2042-07-19 09:15:30 UTC"
  e2b8294b5584ab6b58c290466cac3fb8398f8483 => {
    subject => "/C=CN/O=China Financial Certification Authority/CN=CFCA EV ROOT",
    issuer => "/C=CN/O=China Financial Certification Authority/CN=CFCA EV ROOT",
    not_before => "2012-08-08 03:07:01 UTC",
    not_after => "2029-12-31 03:07:01 UTC"


ca_trust::rebuild - Rebuilds the system's CA trust bundle using the operating system's prescribed manner. Note that this rebuild will include any ca_trust::pem::anchors already installed on the system. This will not reset the bundle to system default.


This module has been converted to use the [Puppet Development Kit](

Source Validation

pdk validate

Unit Testing

pdk test unit

For better output, or to debug a specific spec, the old standby bundle exec rake spec_prep and bundle exec rspec <filename> still functions flawlessly. Be sure to run bundle exec rake spec_clean before going back to pdk test unit though.


  • When beaker is ready to support CentOS 8 and Ubuntu 20, add them to nodesets.
  • Eventually support should be added for Windows platforms, to install new CA's into the system or user Certificate databases.


See the [change log](CHANGELOG).