diff options
| author | Jan Dittberner <jandd@cacert.org> | 2021-04-25 12:50:47 +0200 |
|---|---|---|
| committer | Jan Dittberner <jandd@cacert.org> | 2021-04-25 12:50:47 +0200 |
| commit | c7d1fe41d60f623053d6b69280e9b4b188357651 (patch) | |
| tree | 9cbc08c2e0d93046e6e0fb7292d4d807c2b5665f /sitemodules/profiles/manifests/x509cert_common.pp | |
| parent | 72fc7353e13b33dbe876a47dcb5c34d7b1fefd3f (diff) | |
| download | cacert-puppet-c7d1fe41d60f623053d6b69280e9b4b188357651.tar.gz cacert-puppet-c7d1fe41d60f623053d6b69280e9b4b188357651.tar.xz cacert-puppet-c7d1fe41d60f623053d6b69280e9b4b188357651.zip | |
Add client certificate CA support to x509cert_common
This is a refactoring to move support for client certificate CA
chain definition to the x509cert_common manifest. The idea is that
certificate chain management is centralized in that module.
Community is the first system that is modified to use the new mechanism
for the Roundcube webmail system at webmail.cacert.org.
Diffstat (limited to 'sitemodules/profiles/manifests/x509cert_common.pp')
| -rw-r--r-- | sitemodules/profiles/manifests/x509cert_common.pp | 30 |
1 files changed, 25 insertions, 5 deletions
diff --git a/sitemodules/profiles/manifests/x509cert_common.pp b/sitemodules/profiles/manifests/x509cert_common.pp index bdc1a33..d784b49 100644 --- a/sitemodules/profiles/manifests/x509cert_common.pp +++ b/sitemodules/profiles/manifests/x509cert_common.pp @@ -10,10 +10,12 @@ # @param certificates Hash data structure with certificate names as key and # certificate information as value the individual # entries are expected to have certificate, private_key -# and cachain entries with PEM encoded data. Private -# keys have to be encrypted using eyaml. The cachain -# entry should contain an array of CA certificate -# identifiers. +# and cachain and client_ca_certificates entries with +# PEM encoded data. Private keys have to be encrypted +# using eyaml. The cachain entry should contain an array +# of CA certificate identifiers. The +# client_ca_certificates entry should contain an array +# of CA certificate identifiers. # # Examples # -------- @@ -31,7 +33,7 @@ # Copyright # --------- # -# Copyright 2020 Jan Dittberner +# Copyright 2020-2021 Jan Dittberner class profiles::x509cert_common ( Hash[String, Data] $certificates, ) { @@ -84,5 +86,23 @@ class profiles::x509cert_common ( source => "puppet:///modules/profiles/base/cacert_${ca_cert}.crt", } } + + if 'client_ca_certificates' in $cert_info { + $client_ca_certificates = "/etc/ssl/public/${name}_client_cas.pem" + concat { $client_ca_certificates: + ensure => present, + owner => 'root', + group => 'root', + mode => '0644', + } + $cert_info['client_ca_certificates'].each |$index, $ca_cert| { + $order = 10 + $index + concat::fragment { "${name}-client-${ca_cert}": + order => $order, + target => $client_ca_certificates, + source => "puppet:///modules/profiles/base/cacert_${ca_cert}.crt", + } + } + } } } |