| {%- from "salt/map.jinja" import minion with context %} |
| |
| x509_signing_policies: |
| {%- for ca_name,ca in minion.ca.items() %} |
| {%- for signing_policy_name, signing_policy in ca.signing_policy.iteritems() %} |
| {{ ca_name }}_{{ signing_policy_name }}: |
| - minions: '{{ signing_policy.minions }}' |
| - signing_private_key: /etc/pki/ca/{{ ca_name }}/ca.key |
| - signing_cert: /etc/pki/ca/{{ ca_name }}/ca.crt |
| - C: {{ ca.country }} |
| - ST: {{ ca.state }} |
| - L: {{ ca.locality }} |
| {%- if signing_policy.type == 'v3_edge_cert_client' %} |
| - basicConstraints: "CA:FALSE" |
| - keyUsage: "critical digitalSignature,nonRepudiation,keyEncipherment" |
| - extendedKeyUsage: "critical clientAuth" |
| {%- elif signing_policy.type == 'v3_edge_cert_server' %} |
| - basicConstraints: "CA:FALSE" |
| - keyUsage: "critical digitalSignature,nonRepudiation,keyEncipherment" |
| - extendedKeyUsage: "critical,serverAuth" |
| {%- elif signing_policy.type == 'v3_intermediate_ca' %} |
| - basicConstraints: "CA:TRUE" |
| - keyUsage: "critical cRLSign,keyCertSign" |
| {%- elif signing_policy.type == 'v3_edge_ca' %} |
| - basicConstraints: "CA:TRUE,pathlen:0" |
| - keyUsage: "critical cRLSign,keyCertSign" |
| {%- endif %} |
| - subjectKeyIdentifier: hash |
| - authorityKeyIdentifier: keyid,issuer:always |
| - days_valid: {{ ca.days_valid.certificate }} |
| - copypath: /etc/pki/ca/{{ ca_name }}/certs/ |
| {%- endfor %} |
| {%- endfor %} |