salt.modules.tls¶

A salt module for SSL/TLS. Can create a Certificate Authority (CA) or use Self-Signed certificates.

depends:

depends:	PyOpenSSL Python module (0.10 or later, 0.14 or later for X509 extension support)
configuration:	Add the following values in /etc/salt/minion for the CA module to function properly: ca.cert_base_path: '/etc/pki'

PyOpenSSL Python module (0.10 or later, 0.14 or later for

X509 extension support)

configuration:

Add the following values in /etc/salt/minion for the CA module to function properly:

ca.cert_base_path: '/etc/pki'

CLI Example #1 Creating a CA, a server request and its signed certificate:

# salt-call tls.create_ca my_little \
days=5 \
CN='My Little CA' \
C=US \
ST=Utah \
L=Salt Lake City \
O=Saltstack \
emailAddress=pleasedontemail@example.com

Created Private Key: "/etc/pki/my_little/my_little_ca_cert.key"
Created CA "my_little_ca": "/etc/pki/my_little_ca/my_little_ca_cert.crt"

# salt-call tls.create_csr my_little CN=www.example.com
Created Private Key: "/etc/pki/my_little/certs/www.example.com.key
Created CSR for "www.example.com": "/etc/pki/my_little/certs/www.example.com.csr"

# salt-call tls.create_ca_signed_cert my_little CN=www.example.com
Created Certificate for "www.example.com": /etc/pki/my_little/certs/www.example.com.crt"

CLI Example #2: Creating a client request and its signed certificate

# salt-call tls.create_csr my_little CN=DBReplica_No.1 cert_type=client
Created Private Key: "/etc/pki/my_little/certs//DBReplica_No.1.key."
Created CSR for "DBReplica_No.1": "/etc/pki/my_little/certs/DBReplica_No.1.csr."

# salt-call tls.create_ca_signed_cert my_little CN=DBReplica_No.1
Created Certificate for "DBReplica_No.1": "/etc/pki/my_little/certs/DBReplica_No.1.crt"

CLI Example #3: Creating both a server and client req + cert for the same CN

# salt-call tls.create_csr my_little CN=MasterDBReplica_No.2  \
    cert_type=client
Created Private Key: "/etc/pki/my_little/certs/MasterDBReplica_No.2.key."
Created CSR for "DBReplica_No.1": "/etc/pki/my_little/certs/MasterDBReplica_No.2.csr."

# salt-call tls.create_ca_signed_cert my_little CN=MasterDBReplica_No.2
Created Certificate for "DBReplica_No.1": "/etc/pki/my_little/certs/DBReplica_No.1.crt"

# salt-call tls.create_csr my_little CN=MasterDBReplica_No.2 \
    cert_type=server
Certificate "MasterDBReplica_No.2" already exists

(doh!)

# salt-call tls.create_csr my_little CN=MasterDBReplica_No.2 \
    cert_type=server type_ext=True
Created Private Key: "/etc/pki/my_little/certs/DBReplica_No.1_client.key."
Created CSR for "DBReplica_No.1": "/etc/pki/my_little/certs/DBReplica_No.1_client.csr."

# salt-call tls.create_ca_signed_cert my_little CN=MasterDBReplica_No.2
Certificate "MasterDBReplica_No.2" already exists

(DOH!)

# salt-call tls.create_ca_signed_cert my_little CN=MasterDBReplica_No.2 \
    cert_type=server type_ext=True
Created Certificate for "MasterDBReplica_No.2": "/etc/pki/my_little/certs/MasterDBReplica_No.2_server.crt"

CLI Example #4: Create a server req + cert with non-CN filename for the cert

# salt-call tls.create_csr my_little CN=www.anothersometh.ing \
    cert_type=server type_ext=True
Created Private Key: "/etc/pki/my_little/certs/www.anothersometh.ing_server.key."
Created CSR for "DBReplica_No.1": "/etc/pki/my_little/certs/www.anothersometh.ing_server.csr."

# salt-call tls_create_ca_signed_cert my_little CN=www.anothersometh.ing \
    cert_type=server cert_filename="something_completely_different"
Created Certificate for "www.anothersometh.ing": /etc/pki/my_little/certs/something_completely_different.crt

salt.modules.tls.ca_exists(ca_name, cacert_path=None, ca_filename=None)¶

Verify whether a Certificate Authority (CA) already exists

ca_name: name of the CA
cacert_path: absolute path to ca certificates root directory
ca_filename: alternative filename for the CA

2015.5.3 新版功能.

CLI 范例:

salt '*' tls.ca_exists test_ca /etc/certs

salt.modules.tls.cert_base_path(cacert_path=None)¶

Return the base path for certs from CLI or from options

cacert_path: absolute path to ca certificates root directory

CLI 范例:

salt '*' tls.cert_base_path

salt.modules.tls.cert_info(cert_path, digest='sha256')¶

Return information for a particular certificate

cert_path: path to the cert file
digest: what digest to use for fingerprinting

CLI 范例:

salt '*' tls.cert_info /dir/for/certs/cert.pem

salt.modules.tls.create_ca(ca_name, bits=2048, days=365, CN='localhost', C='US', ST='Utah', L='Salt Lake City', O='SaltStack', OU=None, emailAddress='xyz@pdq.net', fixmode=False, cacert_path=None, ca_filename=None, digest='sha256', onlyif=None, unless=None, replace=False)¶

Create a Certificate Authority (CA)

ca_name: name of the CA
bits: number of RSA key bits, default is 2048
days: number of days the CA will be valid, default is 365
CN: common name in the request, default is "localhost"
C: country, default is "US"
ST: state, default is "Utah"
L: locality, default is "Centerville", the city where SaltStack originated
O: organization, default is "SaltStack"
OU: organizational unit, default is None
emailAddress: email address for the CA owner, default is 'xyz@pdq.net'
cacert_path: absolute path to ca certificates root directory
ca_filename: alternative filename for the CA

2015.5.3 新版功能.
digest: The message digest algorithm. Must be a string describing a digest algorithm supported by OpenSSL (by EVP_get_digestbyname, specifically). For example, "md5" or "sha1". Default: 'sha256'
replace: Replace this certificate even if it exists

2015.5.1 新版功能.

Writes out a CA certificate based upon defined config values. If the file already exists, the function just returns assuming the CA certificate already exists.

If the following values were set:

ca.cert_base_path='/etc/pki'
ca_name='koji'

the resulting CA, and corresponding key, would be written in the following location:

/etc/pki/koji/koji_ca_cert.crt
/etc/pki/koji/koji_ca_cert.key

CLI 范例:

salt '*' tls.create_ca test_ca

salt.modules.tls.create_ca_signed_cert(ca_name, CN, days=365, cacert_path=None, ca_filename=None, cert_path=None, cert_filename=None, digest='sha256', cert_type=None, type_ext=False, replace=False)¶

Create a Certificate (CERT) signed by a named Certificate Authority (CA)

If the certificate file already exists, the function just returns assuming the CERT already exists.

The CN must match an existing CSR generated by create_csr. If it does not, this method does nothing.

ca_name

name of the CA

CN

common name matching the certificate signing request

days

number of days certificate is valid, default is 365 (1 year)

cacert_path

absolute path to ca certificates root directory

ca_filename

alternative filename for the CA

2015.5.3 新版功能.

cert_path

full path to the certificates directory

cert_filename

alternative filename for the certificate, useful when using special characters in the CN. If this option is set it will override the certificate filename output effects of cert_type. type_ext will be completely overridden.

2015.5.3 新版功能.

digest

The message digest algorithm. Must be a string describing a digest algorithm supported by OpenSSL (by EVP_get_digestbyname, specifically). For example, "md5" or "sha1". Default: 'sha256'

replace

Replace this certificate even if it exists

2015.5.1 新版功能.

cert_type

string. Either 'server' or 'client' (see create_csr() for details).

If create_csr(type_ext=True) this function must be called with the same cert_type so it can find the CSR file.

注解

create_csr() defaults to cert_type='server'; therefore, if it was also called with type_ext, cert_type becomes a required argument for create_ca_signed_cert()

type_ext

bool. If set True, use cert_type as an extension to the CN when formatting the filename.

e.g.: some_subject_CN_server.crt or some_subject_CN_client.crt

This facilitates the context where both types are required for the same subject

If cert_filename is not None, setting type_ext has no effect

If the following values were set:

ca.cert_base_path='/etc/pki'
ca_name='koji'
CN='test.egavas.org'

the resulting signed certificate would be written in the following location:

/etc/pki/koji/certs/test.egavas.org.crt

CLI 范例:

salt '*' tls.create_ca_signed_cert test localhost

salt.modules.tls.create_csr(ca_name, bits=2048, CN='localhost', C='US', ST='Utah', L='Salt Lake City', O='SaltStack', OU=None, emailAddress='xyz@pdq.net', subjectAltName=None, cacert_path=None, ca_filename=None, csr_path=None, csr_filename=None, digest='sha256', type_ext=False, cert_type='server', replace=False)¶

Create a Certificate Signing Request (CSR) for a particular Certificate Authority (CA)

ca_name

name of the CA

bits

number of RSA key bits, default is 2048

CN

common name in the request, default is "localhost"

C

country, default is "US"

ST

state, default is "Utah"

L

locality, default is "Centerville", the city where SaltStack originated

O

organization, default is "SaltStack" NOTE: Must the same as CA certificate or an error will be raised

OU

organizational unit, default is None

emailAddress

email address for the request, default is 'xyz@pdq.net'

subjectAltName

valid subjectAltNames in full form, e.g. to add DNS entry you would call this function with this value:

examples: ['DNS:somednsname.com',: 'DNS:1.2.3.4', 'IP:1.2.3.4', 'IP:2001:4801:7821:77:be76:4eff:fe11:e51', 'email:me@i.like.pie.com']

注解

some libraries do not properly query IP: prefixes, instead looking for the given req. source with a DNS: prefix. To be thorough, you may want to include both DNS: and IP: entries if you are using subjectAltNames for destinations for your TLS connections. e.g.: requests to https://1.2.3.4 will fail from python's requests library w/out the second entry in the above list

2015.8.0 新版功能.

cert_type

Specify the general certificate type. Can be either server or client. Indicates the set of common extensions added to the CSR.

server: {
   'basicConstraints': 'CA:FALSE',
   'extendedKeyUsage': 'serverAuth',
   'keyUsage': 'digitalSignature, keyEncipherment'
}

client: {
   'basicConstraints': 'CA:FALSE',
   'extendedKeyUsage': 'clientAuth',
   'keyUsage': 'nonRepudiation, digitalSignature, keyEncipherment'
}

type_ext

boolean. Whether or not to extend the filename with CN_[cert_type] This can be useful if a server and client certificate are needed for the same CN. Defaults to False to avoid introducing an unexpected file naming pattern

The files normally named some_subject_CN.csr and some_subject_CN.key will then be saved

replace

Replace this signing request even if it exists

2015.5.1 新版功能.

Writes out a Certificate Signing Request (CSR) If the file already exists, the function just returns assuming the CSR already exists.

If the following values were set:

ca.cert_base_path='/etc/pki'
ca_name='koji'
CN='test.egavas.org'

the resulting CSR, and corresponding key, would be written in the following location:

/etc/pki/koji/certs/test.egavas.org.csr
/etc/pki/koji/certs/test.egavas.org.key

CLI 范例:

salt '*' tls.create_csr test

salt.modules.tls.create_empty_crl(ca_name, cacert_path=None, ca_filename=None, crl_file=None)¶

Create an empty Certificate Revocation List.

2015.8.0 新版功能.

ca_name: name of the CA
cacert_path: absolute path to ca certificates root directory
ca_filename: alternative filename for the CA

2015.5.3 新版功能.
crl_file: full path to the CRL file

CLI 范例:

salt '*' tls.create_empty_crl ca_name='koji'                 ca_filename='ca'                 crl_file='/etc/openvpn/team1/crl.pem'

salt.modules.tls.create_pkcs12(ca_name, CN, passphrase='', cacert_path=None, replace=False)¶

Create a PKCS#12 browser certificate for a particular Certificate (CN)

ca_name: name of the CA
CN: common name matching the certificate signing request
passphrase: used to unlock the PKCS#12 certificate when loaded into the browser
cacert_path: absolute path to ca certificates root directory
replace: Replace this certificate even if it exists

2015.5.1 新版功能.

If the following values were set:

ca.cert_base_path='/etc/pki'
ca_name='koji'
CN='test.egavas.org'

the resulting signed certificate would be written in the following location:

/etc/pki/koji/certs/test.egavas.org.p12

CLI 范例:

salt '*' tls.create_pkcs12 test localhost

salt.modules.tls.create_self_signed_cert(tls_dir='tls', bits=2048, days=365, CN='localhost', C='US', ST='Utah', L='Salt Lake City', O='SaltStack', OU=None, emailAddress='xyz@pdq.net', cacert_path=None, cert_filename=None, digest='sha256', replace=False)¶

Create a Self-Signed Certificate (CERT)

tls_dir: location appended to the ca.cert_base_path, default is 'tls'
bits: number of RSA key bits, default is 2048
CN: common name in the request, default is "localhost"
C: country, default is "US"
ST: state, default is "Utah"
L: locality, default is "Centerville", the city where SaltStack originated
O: organization, default is "SaltStack" NOTE: Must the same as CA certificate or an error will be raised
OU: organizational unit, default is None
emailAddress: email address for the request, default is 'xyz@pdq.net'
cacert_path: absolute path to ca certificates root directory
digest: The message digest algorithm. Must be a string describing a digest algorithm supported by OpenSSL (by EVP_get_digestbyname, specifically). For example, "md5" or "sha1". Default: 'sha256'
replace: Replace this certificate even if it exists

2015.5.1 新版功能.

Writes out a Self-Signed Certificate (CERT). If the file already exists, the function just returns.

If the following values were set:

ca.cert_base_path='/etc/pki'
tls_dir='koji'
CN='test.egavas.org'

the resulting CERT, and corresponding key, would be written in the following location:

/etc/pki/koji/certs/test.egavas.org.crt
/etc/pki/koji/certs/test.egavas.org.key

CLI 范例:

salt '*' tls.create_self_signed_cert

Passing options from the command line:

salt 'minion' tls.create_self_signed_cert CN='test.mysite.org'

salt.modules.tls.get_ca(ca_name, as_text=False, cacert_path=None)¶

Get the certificate path or content

ca_name: name of the CA
as_text: if true, return the certificate content instead of the path
cacert_path: absolute path to ca certificates root directory

CLI 范例:

salt '*' tls.get_ca test_ca as_text=False cacert_path=/etc/certs

salt.modules.tls.get_ca_signed_cert(ca_name, CN='localhost', as_text=False, cacert_path=None, cert_filename=None)¶

Get the certificate path or content

ca_name: name of the CA
CN: common name of the certificate
as_text: if true, return the certificate content instead of the path
cacert_path: absolute path to certificates root directory
cert_filename: alternative filename for the certificate, useful when using special characters in the CN

2015.5.3 新版功能.

CLI 范例:

salt '*' tls.get_ca_signed_cert test_ca CN=localhost as_text=False cacert_path=/etc/certs

salt.modules.tls.get_ca_signed_key(ca_name, CN='localhost', as_text=False, cacert_path=None, key_filename=None)¶

Get the certificate path or content

ca_name

name of the CA

CN

common name of the certificate

as_text

if true, return the certificate content instead of the path

cacert_path

absolute path to certificates root directory

key_filename

alternative filename for the key, useful when using special characters

2015.5.3 新版功能.

in the CN

CLI 范例:

salt '*' tls.get_ca_signed_key                 test_ca CN=localhost                 as_text=False                 cacert_path=/etc/certs

salt.modules.tls.get_extensions(cert_type)¶

Fetch X509 and CSR extension definitions from tls:extensions: (common|server|client) or set them to standard defaults.

2015.8.0 新版功能.

cert_type:: The type of certificate such as server or client.

CLI 范例:

salt '*' tls.get_extensions client

salt.modules.tls.maybe_fix_ssl_version(ca_name, cacert_path=None, ca_filename=None)¶

Check that the X509 version is correct (was incorrectly set in previous salt versions). This will fix the version if needed.

ca_name: ca authority name
cacert_path: absolute path to ca certificates root directory
ca_filename: alternative filename for the CA

2015.5.3 新版功能.

CLI 范例:

salt '*' tls.maybe_fix_ssl_version test_ca /etc/certs

salt.modules.tls.revoke_cert(ca_name, CN, cacert_path=None, ca_filename=None, cert_path=None, cert_filename=None, crl_file=None)¶

Revoke a certificate.

2015.8.0 新版功能.

ca_name: Name of the CA.
CN: Common name matching the certificate signing request.
cacert_path: Absolute path to ca certificates root directory.
ca_filename: Alternative filename for the CA.
cert_path: Path to the cert file.
cert_filename: Alternative filename for the certificate, useful when using special characters in the CN.
crl_file: Full path to the CRL file.

CLI 范例:

salt '*' tls.revoke_cert ca_name='koji'                 ca_filename='ca'                 crl_file='/etc/openvpn/team1/crl.pem'

salt.modules.tls.set_ca_path(cacert_path)¶

If wanted, store the aforementioned cacert_path in context to be used as the basepath for further operations

CLI 范例:

salt '*' tls.set_ca_path /etc/certs