Puppet Class: profile::pki::root_ca

Defined in:
modules/profile/manifests/pki/root_ca.pp

Overview

Parameters:

  • common_name (String) (defaults to: lookup('profile::pki::root_ca::common_name'))

    The common name to use on the CA cert

  • names (Array[Cfssl::Name]) (defaults to: lookup('profile::pki::root_ca::names'))

    The certificate authority names used for intermediates

  • key_params (Cfssl::Key) (defaults to: lookup('profile::pki::root_ca::key_params'))

    The key algorithm and size used for intermediates

  • gen_csr

    if true genrate a CSR. this is only needed when bootstrapping

  • db_driver (Cfssl::DB_driver) (defaults to: lookup('profile::pki::root_ca::db_driver'))

    The db driver to use

  • db_user (String) (defaults to: lookup('profile::pki::root_ca::db_user'))

    The db user to use

  • db_pass (Sensitive[String[1]]) (defaults to: lookup('profile::pki::root_ca::db_pass'))

    The db pass to use

  • db_name (String) (defaults to: lookup('profile::pki::root_ca::db_name'))

    The db name to use

  • db_host (Stdlib::Host) (defaults to: lookup('profile::pki::root_ca::db_host'))

    The db host to use

  • profiles (Hash[String, Cfssl::Profile]) (defaults to: lookup('profile::pki::root_ca::profiles'))

    a Hash of signing profiles

  • auth_keys (Hash[String, Cfssl::Auth_key]) (defaults to: lookup('profile::pki::root_ca::auth_keys'))

    A hash of auth_keys, this is not actually use as we don't configure the API end point but is required as a security measure in case the API service is started by accident

  • intermedites

    An array of intermediate certificates to create. This profile ensures the certificates are created however you will need to manually copy the created certificate to the puppet repo

  • vhost (String) (defaults to: lookup('profile::pki::root_ca::vhost'))
  • intermediates (Array[String[3]]) (defaults to: lookup('profile::pki::root_ca::intermediates'))


16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
# File 'modules/profile/manifests/pki/root_ca.pp', line 16

class profile::pki::root_ca(
    String                        $common_name    = lookup('profile::pki::root_ca::common_name'),
    String                        $vhost          = lookup('profile::pki::root_ca::vhost'),
    Array[Cfssl::Name]            $names          = lookup('profile::pki::root_ca::names'),
    Cfssl::Key                    $key_params     = lookup('profile::pki::root_ca::key_params'),
    Cfssl::DB_driver              $db_driver      = lookup('profile::pki::root_ca::db_driver'),
    String                        $db_user        = lookup('profile::pki::root_ca::db_user'),
    Sensitive[String[1]]          $db_pass        = lookup('profile::pki::root_ca::db_pass'),
    String                        $db_name        = lookup('profile::pki::root_ca::db_name'),
    Stdlib::Host                  $db_host        = lookup('profile::pki::root_ca::db_host'),
    Hash[String, Cfssl::Profile]  $profiles       = lookup('profile::pki::root_ca::profiles'),
    Hash[String, Cfssl::Auth_key] $auth_keys      = lookup('profile::pki::root_ca::auth_keys'),
    Array[String[3]]              $intermediates  = lookup('profile::pki::root_ca::intermediates'),
) {
    $safe_title   = $common_name.regsubst('\W', '_', 'G')
    $crl_base_url = "http://${vhost}/crl/${safe_title}"
    $ocsp_base_url = "http://${vhost}/ocsp/${safe_title}"
    # we need to include this as we use some of the variables
    include cfssl  # lint:ignore:wmf_styleguide
    cfssl::signer {$common_name:
        profiles         => $profiles,
        default_crl_url  => $crl_base_url,
        default_ocsp_url => $ocsp_base_url,
        db_driver        => $db_driver,
        db_user          => $db_user,
        db_pass          => $db_pass,
        db_host          => $db_host,
        db_name          => $db_name,
        auth_keys        => $auth_keys,
        manage_services  => false,
    }
    cfssl::cert {"${common_name}_ocsp_signing_cert":
        names         => $names,
        signer_config => {'config_dir' => "${cfssl::signer_dir}/${safe_title}"},
        profile       => 'ocsp',
        require       => Cfssl::Signer[$common_name],
    }
    $intermediates.each |$intermediate| {
        cfssl::cert {$intermediate:
            key           => $key_params,
            names         => $names,
            signer_config => {'config_dir' => "${cfssl::signer_dir}/${safe_title}"},
            profile       => 'intermediate',
            require       => Cfssl::Signer[$common_name],
        }
    }
    include profile::backup::host
    backup::set {'pki-root-cfssl': }
}