This cookbook manages OpenSSL key pairs, using chef-vault to share and store private keys.
This cookbook's home is at https://github.com/3ofcoins/ssl-key-vault/
-
Generate a self-signed key or a secret key and certificate.
-
Store the private key in chef-vault. The name should be set to ssl-key-key.name.:
$ ruby -rjson -e 'puts JSON[Hash[Hash[*ARGV].map { |k,v| [k, File.read(v)] }]]' -- \ chain.pem example.com.chain.pem \ crt example.com.crt \ csr example.com.csr \ key example.com.key \ pem example.com.pem \ > example.com.json$ knife encrypt create certs --mode client \ --search 'QUERY' --admins '' \ --name ssl-key-example_com \ --json /path/to/example.com.jsonEither add Chef server's admin API users to the
--admins, or make the key otherwise accessible to yourself in future (e.g. with knife-briefcase). -
Add the certificate to node's
ssl_certificatesattribute (key is key's name, and value is full certificate):
default_attributes :ssl_certificates => {
'example.com' => true
}- Add
recipe[ssl-key-vault]to node's run list.
The key will be stored in /etc/ssl/private/key.name.key, and
certificate in /etc/ssl/certs/key.name.pem.
I don't have much of idea currently how to add tests, with chef-vault, encrypted data bags, and such.
Author: Maciej Pasternacki maciej@3ofcoins.net