Table of Contents

1. Overview
2. Module Description - What the module does and why it is useful
3. Setup - The basics of getting started with trusted_ca
   • What trusted_ca affects
   • Beginning with trusted_ca
4. Usage - Configuration options and additional functionality
5. Reference - An under-the-hood peek at what the module is doing and how
6. Limitations - OS compatibility, etc.
7. Development - Guide for contributing to the module
8. Changelog/Contributors

Overview

A puppet module to manage the distribution's trusted certificates and install trusted SSL certificates into the system's trusted keystore and java's keystore's.

Module Description

Many organizations use self-signed SSL certificates for internal services that need to be trusted by other hosts. This puppet module will install SSL certificates into a host's system-wide trusted CA files (which are used by distribution-provided java packages) as well as a define for installing certificates into java installations not provided by the distribution.

Setup

What trusted_ca affects

• Distribution-provided trusted SSL certificates package
• System-wide additional trusted SSL certificates
• SSL certificates installed into java trusted certificate keystore

Beginning with trusted_ca

To install trusted_ca

    puppet module install puppet-trusted_ca

Dependencies:

• puppetlabs/stdlib

Usage

Manage only distribution-specific trusted certificates

    class { 'trusted_ca': }

Install a self-signed SSL certificate into the system's global trusted keystore from a source file

    class { 'trusted_ca': }
    trusted_ca::ca { 'mycompany.org':
      source => 'puppet:///ssl/mycompany.org.crt',
    }

Install a self-signed SSL certificate into a java keystore from a source file

    class { 'trusted_ca': }
    trusted_ca::java { 'mycompany.org':
      source => 'puppet:///ssl/mycompany.org/crt',
      java_keystore => '/usr/local/java/lib/security/cacerts',
    }

Install a certificate into the system's global trusted keystore from a PEM-encoded string (eg from hiera)

    class { 'trusted_ca': }
    trusted_ca::ca { 'example.net':
      content => lookup('example-net-x509'),
    }

Reference

Public classes

trusted_ca

certificates_version

String. Version of the distribution-specific trusted certificates. Examples would be 'latest' or a specific version.

certs_package

String. Package name of the distribution-specific trusted certificates. Default is OS/Distribution specific.

path

String/Array of String. List of paths for the update_command.

install_path

String. Location to install the trusted certificates.

update_command

String. Command to rebuild the system-trusted certificates.

certfile_suffix

String. Suffix of certificate files. Default is OS/Distribution dependent, i.e. 'pem' or 'crt'.

Public defines

trusted_ca::ca

source

String. Source of the certificate to include. Must be a file in PEM format with crt extension. You must specify either source or content, but not both. If source is specified, content is ignored.

content

String. Content of certificate in PEM format. You must specify either source or content, but not both. If source is specified, content is ignored.

install_path

String. Destination of the certificate file for processing. Defaults to the install_path from the class, but can be overridden per certificate.

certfile_suffix

String. Suffix of certificate files. Default is OS/Distribution dependent, i.e. 'pem' or 'crt'.

trusted_ca::java

source

String. Source of the certificate to include. Must be a file in PEM format with crt extension. You must specify either source or content, but not both. If source is specified, content is ignored.

content

String. Content of certificate in PEM format. You must specify either source or content, but not both. If source is specified, content is ignored.

java_keystore

String. Location of of the java cacerts keystore file.

Private classes

• trusted_ca::params: Defaults for the trusted_ca module

Limitations

Tested on:

• EL 6
• EL 7
• Debian 8
• Debian 9
• SLES 11 SP3
• SLES 12 SP4
• SLES 15 SP1
• Ubuntu 16.04 LTS
• Ubuntu 18.04 LTS

This module assumes the keytool and openssl utilities are available.

Development

Improvements and bug fixes are greatly appreciated. See the contributing guide for information on adding and validating tests for PRs.

Changelog / Contributors

This module was originally known as jlambert121/trusted_ca but forked to Voxpupuli because the original author no longer responded.

Changelog Contributors

Changelog

All notable changes to this project will be documented in this file. Each new release typically also includes the latest modulesync defaults. These should not affect the functionality of the module.

v5.1.0 (2024-08-21)

Full Changelog

Implemented enhancements:

• Support Debian 11 & 12 + Ubuntu 22.04 & 24.04 #70 (ekohl)
• Support EL 9: Avoid running update-ca-trust twice #69 (ekohl)
• Convert to puppet-strings documentation #61 (ekohl)
• Use validate_cmd & expose filename parameter #60 (ekohl)

v5.0.0 (2023-08-02)

Full Changelog

Breaking changes:

• require puppetlabs/stdlib 9 #52 (robertc99)
• Drop Puppet 6 support / Drop EoL Debian 9 #50 (bastelfreak)
• Default to using the installed version #48 (ekohl)

Implemented enhancements:

• Add Puppet 8 support #55 (bastelfreak)

v4.1.0 (2022-03-09)

Full Changelog

Implemented enhancements:

• Drop requirement for CA sources to use platform-specific suffix #40 (optiz0r)
• Allow stdlib 8.x dependencies #39 (smortex)

v4.0.0 (2021-06-02)

Full Changelog

This release drops compatibility with EOL distros. This means EL6 (which can no longer be tested since the CentOS repos have been removed), Ubuntu 16.04 (EOL since April 2021) and Debian 8 (LTS is EOL since July 2020, though there is ELTS).

Puppet 5 support is also dropped since it went EOL in February 2021.

It should be noted that this it metadata-only. No code was changed.

Breaking changes:

• Drop Puppet 5 support #36 (ekohl)
• Drop Ubuntu 16.04 and Debian 8 support #35 (ekohl)
• Drop EL6 support #29 (ekohl)

Implemented enhancements:

• Mark compatible with Ubuntu 20.04 #33 (ekohl)
• Mark compatible with Puppet 7 #32 (ekohl)
• Mark compatible with puppetlabs/stdlib 7.x #31 (ekohl)

v3.1.0 (2020-05-11)

Full Changelog

Breaking changes:

• drop Ubuntu 14.04 support #16 (bastelfreak)

Implemented enhancements:

• Add EL8 support #24 (ehelms)
• Add Debian 10 support #21 (ekohl)
• Make aliases stored in java keystore case insensitive #18 (pseiler)

Fixed bugs:

• keystore needs to be checked on each puppet run #15 (pseiler)
• fixed behaviour for SLES > 11, support SLES 15 #14 (pseiler)

Merged pull requests:

• Use voxpupuli-acceptance #23 (ekohl)
• updated supported distributions in README #19 (pseiler)
• Remove duplicate CONTRIBUTING.md file #17 (dhoppe)

v3.0.0 (2019-05-30)

Full Changelog

Breaking changes:

• drop puppet 4 support. require at least puppet 5.5.8 #11 (bastelfreak)

Implemented enhancements:

• Use ensure_packages to allow multiple package declarations #9 (dol)

Closed issues:

• Package[ca-certificates] is already declared at #8

Merged pull requests:

• allow puppetlabs-stdlib 6.x #10 (mmoll)
• (docs) Match documentation to metadata #6 (ghoneycutt)

v2.0.0 (2018-10-05)

Full Changelog

Breaking changes:

• Drop Puppet \<4.10.0 release #4

Merged pull requests:

• Change module to Voxpupuli and modernize #1 (ekohl)

1.1.0

Add support for SLES 12, Ubuntu 15.10 Renamed from evenup to jlambert121

1.0.1

Fix relationship with jks

1.0.0

Rewrote module to use system methods for trusted certificates Add separate java define for java keystores Add acceptance tests Remove dependency on puppetlabs/concat

0.3.0

Allow specifying java_keystore file Doc fixes

0.2.0

Update certificate install method

0.1.2

Java class required for keytool

0.1.1

Fix path

0.1.0

Add ability to add CA to java keyfile Spec updates

0.0.2:

Fix documentation

0.0.1:

Initial release

* This Changelog was automatically generated by github_changelog_generator