Salt PKI proper x509v3 cert extensions
diff --git a/salt/files/_pki.conf b/salt/files/_pki.conf
index 19bc552..19c6dc1 100644
--- a/salt/files/_pki.conf
+++ b/salt/files/_pki.conf
@@ -2,17 +2,32 @@
x509_signing_policies:
{%- for ca_name,ca in minion.ca.items() %}
- {{ ca_name }}:
- - minions: '*'
+{%- for signing_policy_name, signing_policy in ca.signing_policy.iteritems() %}
+ {{ ca_name }}_{{ signing_policy_name }}:
+ - minions: '{{ signing_policy.minions }}'
- signing_private_key: /etc/pki/ca/{{ ca_name }}/ca.key
- signing_cert: /etc/pki/ca/{{ ca_name }}/ca.crt
- C: {{ ca.country }}
- ST: {{ ca.state }}
- L: {{ ca.locality }}
- - basicConstraints: "critical CA:false"
- - keyUsage: "critical cRLSign, keyCertSign"
+ {%- if signing_policy.type == 'v3_edge_cert_client' %}
+ - basicConstraints: "CA:FALSE"
+ - keyUsage: "critical digitalSignature,nonRepudiation,keyEncipherment"
+ - extendedKeyUsage: "critical clientAuth"
+ {%- elif signing_policy.type == 'v3_edge_cert_server' %}
+ - basicConstraints: "CA:FALSE"
+ - keyUsage: "critical digitalSignature,nonRepudiation,keyEncipherment"
+ - extendedKeyUsage: "critical,serverAuth"
+ {%- elif signing_policy.type == 'v3_intermediate_ca' %}
+ - basicConstraints: "CA:TRUE"
+ - keyUsage: "critical cRLSign,keyCertSign"
+ {%- elif signing_policy.type == 'v3_edge_ca' %}
+ - basicConstraints: "CA:TRUE,pathlen:0"
+ - keyUsage: "critical cRLSign,keyCertSign"
+ {%- endif %}
- subjectKeyIdentifier: hash
- authorityKeyIdentifier: keyid,issuer:always
- days_valid: {{ ca.days_valid.certificate }}
- copypath: /etc/pki/ca/{{ ca_name }}/certs/
{%- endfor %}
+{%- endfor %}
diff --git a/salt/minion/ca.sls b/salt/minion/ca.sls
index ca8aa75..b67f760 100644
--- a/salt/minion/ca.sls
+++ b/salt/minion/ca.sls
@@ -33,8 +33,8 @@
- C: {{ ca.country }}
- ST: {{ ca.state }}
- L: {{ ca.locality }}
- - basicConstraints: "critical CA:true"
- - keyUsage: "critical cRLSign, keyCertSign"
+ - basicConstraints: "critical,CA:TRUE"
+ - keyUsage: "critical,cRLSign,keyCertSign"
- subjectKeyIdentifier: hash
- authorityKeyIdentifier: keyid,issuer:always
- days_valid: {{ ca.days_valid.authority }}
diff --git a/salt/minion/cert.sls b/salt/minion/cert.sls
index 3fb94c3..ebc97df 100644
--- a/salt/minion/cert.sls
+++ b/salt/minion/cert.sls
@@ -5,9 +5,11 @@
- salt.minion.service
{%- for cert_name,cert in minion.cert.iteritems() %}
+{%- set rowloop = loop %}
-/etc/pki/cert/{{ cert.authority }}:
+ca_dir_{{ cert.authority }}_{{ loop.index }}:
file.directory:
+ - name: /etc/pki/cert/{{ cert.authority }}
- makedirs: true
/etc/pki/cert/{{ cert.authority }}/{{ cert.common_name }}.key:
@@ -17,7 +19,7 @@
/etc/pki/cert/{{ cert.authority }}/{{ cert.common_name }}.crt:
x509.certificate_managed:
- ca_server: {{ cert.host }}
- - signing_policy: {{ cert.authority }}
+ - signing_policy: {{ cert.authority }}_{{ cert.signing_policy }}
- public_key: /etc/pki/cert/{{ cert.authority }}/{{ cert.common_name }}.key
- CN: {{ cert.common_name }}
- days_remaining: 30
@@ -27,8 +29,9 @@
{%- if '/etc/pki/ca/'+cert.authority in ca_path %}
-/etc/pki/cert/{{ cert.authority }}/ca.crt:
+ca_cert_{{ cert.authority }}_{{ rowloop.index }}:
x509.pem_managed:
+ - name: /etc/pki/cert/{{ cert.authority }}/ca.crt
- text: {{ ca_cert|replace('\n', '') }}
{%- endif %}
diff --git a/tests/pillar/minion_pki_ca.sls b/tests/pillar/minion_pki_ca.sls
index 8bbd952..453d1f7 100644
--- a/tests/pillar/minion_pki_ca.sls
+++ b/tests/pillar/minion_pki_ca.sls
@@ -10,3 +10,16 @@
days_valid:
authority: 3650
certificate: 90
+ signing_policy:
+ cert_server:
+ type: v3_edge_cert_server
+ minions: '*'
+ cert_client:
+ type: v3_edge_cert_client
+ minions: '*'
+ ca_edge:
+ type: v3_edge_ca
+ minions: '*'
+ ca_intermediate:
+ type: v3_intermediate_ca
+ minions: '*'
diff --git a/tests/pillar/minion_pki_cert.sls b/tests/pillar/minion_pki_cert.sls
index 76a9fcb..2059810 100644
--- a/tests/pillar/minion_pki_cert.sls
+++ b/tests/pillar/minion_pki_cert.sls
@@ -2,7 +2,18 @@
minion:
enabled: true
cert:
- test_service:
+ test_server:
host: minion.with.ca
+ signing_policy: cert_server
authority: Company CA
- common_name: test.service.domain.tld
+ common_name: test.server.domain.tld
+ test_client:
+ host: minion.with.ca
+ signing_policy: cert_client
+ authority: Company CA
+ common_name: test.client.domain.tld
+ test_edge_ca:
+ host: minion.with.ca
+ signing_policy: ca_edge
+ authority: Company CA
+ common_name: test.ca.domain.tld