Forge Home

pki

Manages non-Puppet PKI keys and certificates

19,838 downloads

918 latest version

4.6 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 6.6.0 (latest)
  • 6.4.0
  • 6.3.0
  • 6.2.1
  • 6.2.0
  • 6.1.1
  • 6.1.0
  • 6.0.4
  • 6.0.3
  • 6.0.2
  • 6.0.1
  • 6.0.0
  • 4.2.5
  • 4.2.4
  • 4.2.3
released Sep 30th 2016
This version is compatible with:
  • ,

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'simp-pki', '4.2.4'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add simp-pki
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install simp-pki --version 4.2.4

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.

Download
Tags: certs, key, pki, simp, cert

Documentation

simp/pki — version 4.2.4 Sep 30th 2016

License Build Status SIMP compatibility

simp-pki

Table of Contents

  1. Description
  2. Setup - The basics of getting started with simp-pki
  3. Usage - Configuration options and additional functionality
  4. Reference - An under-the-hood peek at what the module is doing and how
  5. Limitations - OS compatibility, etc.
  6. Development - Guide for contributing to the module

Description

This module provides the capability to manage non-Puppet PKI keys that are hosted on the Puppet server. It requires keys to be managed under the PKI module at ${environmant}/modules/pki/files/keydist.

The keydist directory must have the following structure:

${environment}/modules/pki/files/keydist/
  - cacerts
    - Any X.509 PEM formatted CA certificates that you want to serve to your
      clients. Do NOT hash these certificates. This will be done on the client
      side.
  - <fqdn>
    - cacerts
      - Any X.509 PEM formatted CA certificates that you want to serve to your
        clients. Do NOT hash these certificates. This will be done on the
        client side.
    - <fqdn>.pem -> Client Private Key
    - <fqdn>.pub -> Client Public Key

This is a SIMP module

This module is a component of the System Integrity Management Platform, a compliance-management framework built on Puppet.

If you find any issues, they can be submitted to our JIRA or you can find us on HipChat.

Setup

What simp-pki affects

This module both adds your client X.509 PKI keys to the system at /etc/pki/{cacerts,private,public} and provides the ability to copy those certificates (or other certificates in the same directory format) into application spaces.

Setup Requirements

The main functionality of this module is supported by the use of a Puppet Server. However, the pki::copy functionality may be used without connectivity to the Puppet Server.

To use the server side functionality, you must have a special keydist Puppet share.

The following is the recommended addition to auth.conf for realizing this share:

# Everyone gets access to the cacerts and mcollective
path ~ ^/file_(metadata|content)/modules/pki/keydist/cacerts
allow *


# Allow access to the keydist space for only the nodes that match via
# certificate name
path ~ ^/file_(metadata|content)/modules/pki/keydist/([^/]+)
allow $2

Beginning with simp-pki

Usage

To sync certificates to your system, simply include the pki class.

include '::pki'

To copy the certificates into your application space, use the pki::copy define.

This will automatically include the simp-pki class unless told otherwise.

pki::copy { '/etc/httpd': }

This will result in the directory /etc/httpd/pki being created with the cacerts, public, and private subdirectories as specified in the keydist directory.

Development

Please read our Contribution Guide and visit our developer wiki.