summaryrefslogtreecommitdiff
path: root/sitemodules/profiles/manifests/x509cert_common.pp
diff options
context:
space:
mode:
authorJan Dittberner <jandd@cacert.org>2021-05-08 07:16:52 +0200
committerJan Dittberner <jandd@cacert.org>2021-05-08 07:16:52 +0200
commit084bc3deb9a4ed16510bb3de1863750e97d071d6 (patch)
treef6d0e384a8ae2b9f186eb4f1450a90fee4f08697 /sitemodules/profiles/manifests/x509cert_common.pp
parent5b6f13899e37a5def5665eb90737a60eedd6d9f9 (diff)
downloadcacert-puppet-084bc3deb9a4ed16510bb3de1863750e97d071d6.tar.gz
cacert-puppet-084bc3deb9a4ed16510bb3de1863750e97d071d6.tar.xz
cacert-puppet-084bc3deb9a4ed16510bb3de1863750e97d071d6.zip
Use x509cert_common for cacert_boardvoting
- add support for custom owner, group and mode for private key files managed by x509cert_common - use x509cert_common for cacert_boardvoting - remove key and certificate from old locations - add class1 (root) certificate to allowed client certificate roots for cacert_boardvoting
Diffstat (limited to 'sitemodules/profiles/manifests/x509cert_common.pp')
-rw-r--r--sitemodules/profiles/manifests/x509cert_common.pp24
1 files changed, 21 insertions, 3 deletions
diff --git a/sitemodules/profiles/manifests/x509cert_common.pp b/sitemodules/profiles/manifests/x509cert_common.pp
index d784b49..8244130 100644
--- a/sitemodules/profiles/manifests/x509cert_common.pp
+++ b/sitemodules/profiles/manifests/x509cert_common.pp
@@ -16,6 +16,10 @@
# of CA certificate identifiers. The
# client_ca_certificates entry should contain an array
# of CA certificate identifiers.
+# The optional key_owner, key_group and key_mode entries
+# can be used to override the defaults of 'root',
+# 'root', '0640' for the private key file ownership and
+# permissions.
#
# Examples
# --------
@@ -51,11 +55,25 @@ class profiles::x509cert_common (
}
$certificates.each |String $name, Data $cert_info| {
+ $key_owner = 'root'
+ $key_group = 'root'
+ $key_mode = '0640'
+
+ if 'key_owner' in $cert_info {
+ $key_owner = $cert_info['key_owner']
+ }
+ if 'key_group' in $cert_info {
+ $key_group = $cert_info['key_group']
+ }
+ if 'key_mode' in $cert_info {
+ $key_mode = $cert_info['key_mode']
+ }
+
file { "/etc/ssl/private/${name}.key.pem":
ensure => file,
- owner => 'root',
- group => 'root',
- mode => '0640',
+ owner => $key_owner,
+ group => $key_group,
+ mode => $key_mode,
content => $cert_info['private_key'],
}
file { "/etc/ssl/public/${name}.crt.pem":