Puppet Class: profile::pki::root_ca

Defined in:
modules/profile/manifests/pki/root_ca.pp

Summary

Configure a cfssl root ca with no API end point

Overview

SPDX-License-Identifier: Apache-2.0

Parameters:

  • common_name (Cfssl::Ca_name) (defaults to: lookup('profile::pki::root_ca::common_name'))

    The common name to use on the CA cert

  • vhost (String) (defaults to: lookup('profile::pki::root_ca::vhost'))

    The vhost for the crl

  • names (Array[Cfssl::Name]) (defaults to: lookup('profile::pki::root_ca::names'))

    The certificate authority names used for intermediates

  • key_params (Cfssl::Key) (defaults to: lookup('profile::pki::root_ca::key_params'))

    The key algorithm and size used for intermediates

  • db_driver (Cfssl::DB_driver) (defaults to: lookup('profile::pki::root_ca::db_driver'))

    The db driver to use

  • db_user (String) (defaults to: lookup('profile::pki::root_ca::db_user'))

    The db user to use

  • db_pass (Sensitive[String[1]]) (defaults to: lookup('profile::pki::root_ca::db_pass'))

    The db pass to use

  • db_name (String) (defaults to: lookup('profile::pki::root_ca::db_name'))

    The db name to use

  • db_host (Stdlib::Host) (defaults to: lookup('profile::pki::root_ca::db_host'))

    The db host to use

  • profiles (Hash[String, Cfssl::Profile]) (defaults to: lookup('profile::pki::root_ca::profiles'))

    a Hash of signing profiles

  • auth_keys (Hash[String, Cfssl::Auth_key]) (defaults to: lookup('profile::pki::root_ca::auth_keys'))

    A hash of auth_keys, this is not actually use as we don't configure the API end point but is required as a security measure in case the API service is started by accident

  • intermediates (Array[Cfssl::Ca_name]) (defaults to: lookup('profile::pki::root_ca::intermediates'))

    An array of intermediate certificates to create.

  • rsa_intermediates (Array[Cfssl::Ca_name]) (defaults to: lookup('profile::pki::root_ca::rsa_intermediates'))

    An array of intermediate certificates to create with RSA keys. created however you will need to manually copy the created certificate to the puppet repo

  • bootstrap (Boolean) (defaults to: lookup('profile::pki::root_ca::bootstrap'))

    Whether or not to attempt to bootstrap the root CA



19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
# File 'modules/profile/manifests/pki/root_ca.pp', line 19

class profile::pki::root_ca(
    Cfssl::Ca_name                $common_name        = lookup('profile::pki::root_ca::common_name'),
    String                        $vhost              = lookup('profile::pki::root_ca::vhost'),
    Array[Cfssl::Name]            $names              = lookup('profile::pki::root_ca::names'),
    Cfssl::Key                    $key_params         = lookup('profile::pki::root_ca::key_params'),
    Cfssl::DB_driver              $db_driver          = lookup('profile::pki::root_ca::db_driver'),
    String                        $db_user            = lookup('profile::pki::root_ca::db_user'),
    Sensitive[String[1]]          $db_pass            = lookup('profile::pki::root_ca::db_pass'),
    String                        $db_name            = lookup('profile::pki::root_ca::db_name'),
    Stdlib::Host                  $db_host            = lookup('profile::pki::root_ca::db_host'),
    Hash[String, Cfssl::Profile]  $profiles           = lookup('profile::pki::root_ca::profiles'),
    Hash[String, Cfssl::Auth_key] $auth_keys          = lookup('profile::pki::root_ca::auth_keys'),
    Array[Cfssl::Ca_name]         $intermediates      = lookup('profile::pki::root_ca::intermediates'),
    Array[Cfssl::Ca_name]         $rsa_intermediates  = lookup('profile::pki::root_ca::rsa_intermediates'),
    Boolean                       $bootstrap          = lookup('profile::pki::root_ca::bootstrap'),
) {
    $safe_title   = $common_name.regsubst('\W', '_', 'G')
    $crl_base_url = "http://${vhost}/crl/${safe_title}"
    $ocsp_base_url = "http://${vhost}/ocsp/${safe_title}"
    # we need to include this as we use some of the variables
    include cfssl  # lint:ignore:wmf_styleguide
    cfssl::signer {$common_name:
        profiles         => $profiles,
        default_crl_url  => $crl_base_url,
        default_ocsp_url => $ocsp_base_url,
        db_driver        => $db_driver,
        db_user          => $db_user,
        db_pass          => $db_pass,
        db_host          => $db_host,
        db_name          => $db_name,
        auth_keys        => $auth_keys,
        manage_services  => false,
    }

    $root_csr = "${cfssl::csr_dir}/${safe_title}.csr"
    $root_dir = "${cfssl::signer_dir}/${safe_title}"

    cfssl::csr { $root_csr:
        common_name => $common_name,
        names       => $names,
        key         => $key_params,
    }

    if ($bootstrap) {
        exec { 'initca':
            cwd      => "${root_dir}/ca",
            command  => "cfssl genkey -initca ${root_csr} | cfssljson -bare ca",
            provider => 'shell',
            creates  => "${root_dir}/ca/ca-key.pem",
            require  => Cfssl::Csr[$root_csr],
        }
    }

    cfssl::cert {"${common_name}_ocsp_signing_cert":
        names         => $names,
        signer_config => {'config_dir' => $root_dir},
        profile       => 'ocsp',
        require       => Cfssl::Signer[$common_name],
    }
    $intermediates.each |$intermediate| {
        cfssl::cert {$intermediate:
            key           => $key_params,
            names         => $names,
            signer_config => {'config_dir' => $root_dir},
            profile       => 'intermediate',
            require       => Cfssl::Signer[$common_name],
        }
    }
    $rsa_intermediates.each |$intermediate| {
        cfssl::cert {$intermediate:
            key           => {'algo' => 'rsa', 'size' => 4096},
            names         => $names,
            signer_config => {'config_dir' => $root_dir},
            profile       => 'intermediate',
            require       => Cfssl::Signer[$common_name],
        }
    }
    include profile::backup::host
    backup::set {'pki-root-cfssl': }
}