- Overview
- Module Description - What the module does and why it is useful
- Setup - The basics of getting started with trusted_ca
- Usage - Configuration options and additional functionality
- Reference - An under-the-hood peek at what the module is doing and how
- Limitations - OS compatibility, etc.
- Development - Guide for contributing to the module
- Changelog/Contributors
A puppet module to manage the distribution's trusted certificates and install trusted SSL certificates into the system's trusted keystore and java's keystore's.
Many organizations use self-signed SSL certificates for internal services that need to be trusted by other hosts. This puppet module will install SSL certificates into a host's system-wide trusted CA files (which are used by distribution-provided java packages) as well as a define for installing certificates into java installations not provided by the distribution.
- Distribution-provided trusted SSL certificates package
- System-wide additional trusted SSL certificates
- SSL certificates installed into java trusted certificate keystore
To install trusted_ca
puppet module install puppet-trusted_ca
Dependencies:
- puppetlabs/stdlib
Manage only distribution-specific trusted certificates
class { 'trusted_ca': }
Install a self-signed SSL certificate into the system's global trusted keystore from a source file
class { 'trusted_ca': }
trusted_ca::ca { 'mycompany.org':
source => 'puppet:///ssl/mycompany.org.crt',
}
Install a self-signed SSL certificate into a java keystore from a source file
class { 'trusted_ca': }
trusted_ca::java { 'mycompany.org':
source => 'puppet:///ssl/mycompany.org/crt',
java_keystore => '/usr/local/java/lib/security/cacerts',
}
Install a certificate into the system's global trusted keystore from a PEM-encoded string (eg from hiera)
class { 'trusted_ca': }
trusted_ca::ca { 'example.net':
content => lookup('example-net-x509'),
}
String. Version of the distribution-specific trusted certificates. Examples would be 'latest' or a specific version.
String. Package name of the distribution-specific trusted certificates. Default is OS/Distribution specific.
String/Array of String. List of paths for the update_command
.
String. Location to install the trusted certificates.
String. Command to rebuild the system-trusted certificates.
String. Suffix of certificate files. Default is OS/Distribution dependent, i.e. 'pem' or 'crt'.
String. Source of the certificate to include. Must be a file in PEM format with crt extension. You must specify either source or content, but not both. If source is specified, content is ignored.
String. Content of certificate in PEM format. You must specify either source or content, but not both. If source is specified, content is ignored.
String. Destination of the certificate file for processing. Defaults to the install_path from the class, but can be overridden per certificate.
String. Suffix of certificate files. Default is OS/Distribution dependent, i.e. 'pem' or 'crt'.
String. Source of the certificate to include. Must be a file in PEM format with crt extension. You must specify either source or content, but not both. If source is specified, content is ignored.
String. Content of certificate in PEM format. You must specify either source or content, but not both. If source is specified, content is ignored.
String. Location of of the java cacerts keystore file.
- trusted_ca::params: Defaults for the trusted_ca module
Tested on:
- EL 6
- EL 7
- Debian 8
- Debian 9
- SLES 11 SP3
- SLES 12 SP4
- SLES 15 SP1
- Ubuntu 16.04 LTS
- Ubuntu 18.04 LTS
This module assumes the keytool and openssl utilities are available.
Improvements and bug fixes are greatly appreciated. See the contributing guide for information on adding and validating tests for PRs.
This module was originally known as jlambert121/trusted_ca but forked to Voxpupuli because the original author no longer responded.