Version information
This version is compatible with:
- Puppet Enterprise 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x
- Puppet >= 6.22.1 < 8.0.0
- , ,
Start using this module
Add this module to your Puppetfile:
mod 'simp-pki', '6.3.0'
Learn more about managing modules with a PuppetfileDocumentation
simp-pki
Table of Contents
- Description
- Setup - The basics of getting started with simp-pki
- Usage - Configuration options and additional functionality
- Reference - An under-the-hood peek at what the module is doing and how
- Limitations - OS compatibility, etc.
- Development - Guide for contributing to the module
Description
This module provides the capability to manage non-Puppet PKI keys that are hosted on the Puppet server.
The keydist
directory must have the following structure:
Under `${codedir}/${environment}/modules/#{module_name}/files/keydist/`:
- cacerts
- Any X.509 PEM formatted CA certificates that you want to serve to your
clients. Do NOT hash these certificates. This will be done on the client
side.
- <fqdn>
- cacerts
- Any X.509 PEM formatted CA certificates that you want to serve to your
clients. Do NOT hash these certificates. This will be done on the
client side.
- <fqdn>.pem -> Client Private Key
- <fqdn>.pub -> Client Public Key
If $pki
is set to 'simp', the keydist directory will have the same structure,
however it will be located in a separate module path so keys don't get clobbered
when using r10k:
/var/simp/environments/${environment}/site_files/pki_files/files/keydist
This is a SIMP module
This module is a component of the System Integrity Management Platform, a compliance-management framework built on Puppet.
If you find any issues, they can be submitted to our JIRA.
Setup
What simp-pki affects
This module both adds your client X.509 PKI keys to the system at
/etc/pki/simp/x509/{cacerts,private,public}
and provides the ability to copy those
certificates (or other certificates in the same directory format) into
application spaces.
Setup Requirements
The main functionality of this module is supported by the use of a Puppet
Server. However, the pki::copy
functionality may be used without connectivity
to the Puppet Server.
To use the server side functionality, you must have a special keydist
Puppet share.
The following is the recommended addition to auth.conf
for realizing this share:
# Everyone gets access to the cacerts
path ~ ^/file_(metadata|content)/modules/pki/keydist/cacerts
allow *
# Allow access to the keydist space for only the nodes that match via
# certificate name
path ~ ^/file_(metadata|content)/modules/pki/keydist/([^/]+)
allow $2
Beginning with simp-pki
Usage
To sync certificates to your system, simply include the pki
class.
include '::pki'
To copy the certificates into your application space, use the pki::copy
define. By default, the cert source is set to /etc/pki/simp. Three basic
use-cases are described below.
If $pki
is true
or simp
:
- The simp-pki class will be included
- Certificates will be centrally managed, in
/etc/pki/simp_apps
For example:
pki::copy { 'httpd': }
This will result in the directory /etc/pki/simp_apps/httpd/x509
being created with the
cacerts
, public
, and private
subdirectories as specified in the keydist
directory.
If $pki
is false:
- The simp-pki class will not be included
- Certificates will not be centrally managed, and you must specify a
$destination
- You must ensure the parent directories of
$destination
exist
For example:
pki::copy { 'httpd':
$pki => false,
$destination => '/foo/bar'
}
This will result in the directory /foo/bar/pki
being created with the cacerts
,
public
, and private
subdirectories as specified in the /etc/pki/simp/x509
directory.
To change the source of certificates to be distributed, use the global pki::source catalyst.
- You must ensure the source directory contains the proper
cacerts
,public
, andprivate
subdirectories, in the correct format. Nothing else will get copied.
In some_hieradata.yaml
simp_options::pki::source: /some/other/certs
In a manifest
pki::copy { 'httpd': }
This will result in the directory /etc/pki/simp_apps/httpd/x509
being created with
the cacerts
, public
, and private
subdirectories as specified in the
/some/other/certs
directory.
Reference
Please refer to the REFERENCE.md, generated by Puppet strings.
Development
Please read our Contribution Guide.
Reference
Table of Contents
Classes
pki
: This class provides the capability to manage non-Puppet PKI keys that are hosted on the Puppet server. The keydist directory must have the fpki::copy::apps_dir
: NOTE: THIS IS A PRIVATE CLASS This class configures the top-level appl
Defined types
pki::copy
: This Defined Type provides a useful copy function for properly copying the entire set of SIMP-based PKI certificates as deployed by the PKI m
Resource types
pki_cert_sync
: A puppet type for merging the contents of one directory full of X.509 PKI certificates into another while hashing the certificates in a manne
Classes
pki
This class provides the capability to manage non-Puppet PKI keys that are hosted on the Puppet server.
The keydist directory must have the following structure:
${codedir}/${environment}/modules/#{module_name}/files/keydist/
cacerts
- Any X.509 PEM formatted CA certificates that you want to serve to your clients.
<fqdn>
cacerts
- Any X.509 PEM formatted CA certificates that you want to serve to this particular client.
<fqdn>.pem
-> Host Private Key<fqdn>.pub
-> Host Public Key
If $pki is set to 'simp', the keydist directory will have the same structure, however it will be located in a separate module path so keys don't get clobbered when using r10k:
/var/simp/environments/${environment}/site_files/pki_files/files/keydist
Parameters
The following parameters are available in the pki
class.
pki
Data type: Variant[Boolean,Enum['simp']]
-
If 'simp', certs will be copied from
puppet:///modules/pki_files/keydist
-
If true or false, certs will be copied from
puppet:///modules/${module_name}/keydist
Default value: simplib::lookup('simp_options::pki', { 'default_value' => 'simp' })
base
Data type: Stdlib::Absolutepath
The directory to which certs will be copied.
Default value: simplib::lookup('simp_options::pki::source', { 'default_value' => '/etc/pki/simp/x509' })
certname
Data type: String
The name of the cert to be used on this host
Defaults to the Puppet certname.
Default value: pick($trusted['certname'], $facts['fqdn'])
private_key_source
Data type: String
The source of the private key content
- This parameter accepts the same values as the
file
type'ssource
parameter
Default value: "puppet:///modules/${module_name}/keydist/${certname}/${certname}.pem"
public_key_source
Data type: String
The source of the private key content
- This parameter accepts the same values as the
file
type'ssource
parameter
Default value: "puppet:///modules/${module_name}/keydist/${certname}/${certname}.pub"
auditd
Data type: Boolean
Whether or not to enable auditing of the system keys
Default value: simplib::lookup('simp_options::auditd', { 'default_value' => false})
sync_purge
Data type: Boolean
Whether or not the PKI sync type should purge the destination directory
- If set to
true
(the default), the/etc/pki/cacerts
directory will have any non-recognized certificates removed.
Default value: true
cacerts_sources
Data type: Array[String]
Modulepath to look in for the CA certs. Normally this is a special
modulepath outside of the normal $codedir. The full path can be found
in the environment.conf
or through puppet config print modulepath
Default value: [ "puppet:///modules/${module_name}/keydist/cacerts", "puppet:///modules/${module_name}/keydist/cacerts/${certname}/cacerts" ]
pki::copy::apps_dir
NOTE: THIS IS A PRIVATE CLASS
This class configures the top-level application directory where application-level copies of PKI keys will be housed
Parameters
The following parameters are available in the pki::copy::apps_dir
class.
target
Data type: Stdlib::Absolutepath
The name of the destination directory
Default value: '/etc/pki/simp_apps'
purge
Data type: Boolean
Whether or not to purge unmanaged keys from the directory
- NOTE: It is highly recommended that you purge unmanaged keys for security reasons
Default value: true
Defined types
pki::copy
This Defined Type provides a useful copy function for properly copying the entire set of SIMP-based PKI certificates as deployed by the PKI module to a different location.
This is particularly important when dealing with SELinux enabled services since they tend to react poorly to symlinks.
Parameters
The following parameters are available in the pki::copy
defined type.
pki
Data type: Variant[Boolean,Enum['simp']]
-
If set to
simp
ortrue
- Certificates will be centralized in /etc/pki/simp_apps/, and copied to
/etc/pki/simp_apps/$name/x509
.
- Certificates will be centralized in /etc/pki/simp_apps/, and copied to
-
If set to
simp
- Include the
pki
class
- Include the
-
If set to
false
- Certificates will not be centralized, and you must provide a
$destination
- Certificates will not be centralized, and you must provide a
Default value: simplib::lookup('simp_options::pki', { 'default_value' => false})
name
Data type: Variant[String,Stdlib::Absolutepath]
-
If
$pki = true
or$pki = 'simp'
this parameter will be used to namespace certificates in/etc/pki/simp_apps/$name/x509
. -
If
$pki = false
, this variable has no effect.
source
Data type: String
Where to find the certificates. This value could be one of a few types:
- Absolute path
- A file URL in the form of
(https|puppet):///file/path
. See thefile
resource documentation for details on the format of this URL - An NSS database. This must be managed by something else, like IPA.
If the setting is a path (file or URL), the locations referenced must have the following structure:
-
<path>/cacerts
-
<path>/private
-
<path>/public
-
NOTE: No other directories will be copied!
Default value: simplib::lookup('simp_options::pki::source', { 'default_value' => '/etc/pki/simp/x509' })
destination
Data type: Optional[Stdlib::Absolutepath]
Optional. The destination that PKI certs get copied to.
-
If
$pki = false
:- You must specify $destination.
- You will need to ensure that all parent directories have been properly created.
- A 'pki' directory will be created under this space
- For example, if you set this to
/foo/bar
then/foo/bar/pki
will be created
- For example, if you set this to
-
If
$pki = true
or$pki = 'simp'
:- This variable has no effect.
Default value: undef
owner
Data type: String
The owner of the directories/files that get copied
Default value: 'root'
group
Data type: String
The group of the directories/files that get copied
Default value: 'root'
Resource types
pki_cert_sync
A puppet type for merging the contents of one directory full of X.509 PKI certificates into another while hashing the certificates in a manner appropriate for use by most Linux applications (Apache, OpenLDAP, etc...).
Usage:
pki_cert_sync { '<target_dir>': source => '<source_dir>' }
Both directories must exist on the local operating system, remote file syncing is not supported. File attributes will all be copied from the source directory.
Any SELinux contexts will be preserved on existing files and copied from the source files if the destination file does not exist.
Properties
The following properties are available in the pki_cert_sync
type.
source
The directory from which to copy all materials.
Parameters
The following parameters are available in the pki_cert_sync
type.
name
namevar
The target directory into which to place and hash the X.509 certificates.
This directory will be left as it was found at the end of the sync just in case it is the destination of a recursive file copy with purge enabled.
generate_pem_hash_links
Valid values: true
, false
, yes, no
Whether to generate the PEM file hash links in the target directory (:name). Should only be disabled if the application using the target directory generates those links itself.
Default value: true
purge
Valid values: true
, false
, yes, no
Whether to purge the target directory (:name). In general, you will want to do this to ensure that systems do not get inappropriate CAs added locally.
Default value: true
- Wed Jun 16 2021 Chris Tessmer chris.tessmer@onyxpoint.com - 6.3.0
- Removed support for Puppet 5
- Ensured support for Puppet 7 in requirements and stdlib
- Fri Dec 18 2020 Chris Tessmer chris.tessmer@onyxpoint.com - 6.2.1
- Removed EL6 support
- Tue Dec 24 2019 Trevor Vaughan tvaughan@onyxpoint.com - 6.2.0-0
- Add EL8 support
- Fri Aug 02 2019 Robert Vincent pillarsdotnet@gmail.com - 6.2.0-0
- Drop Puppet 4 support
- Add Puppet 6 support
- Add puppetlabs-stdlib 6 support
- Fri Jan 25 2019 Liz Nemsick lnemsick.simp@gmail.com - 6.1.1-0
- Moved temporary aggregate CA certs reference files used by pki_cert_sync out of the target directory. These temporary files were being erroneously processed by the gitlab application.
- Fri Jan 25 2019 Liz Nemsick lnemsick.simp@gmail.com - 6.1.0-0
- pki_cert_sync type now generates an aggregate CA certificates with X.509 certificate headers removed, cacerts_no_headers.pem, in addition to the existing aggregate CA certificates file, cacerts.pem. This new CA certificates file is useful for application that cannot handle certificate headers.
- Add a pki_cert_sync option,
generate_pem_hash_links
, which controls whether pki_cert_sync should generate and maintain the PEM file hash links in the target directory. Disabling automatic PEM hash link generation is useful if an application is managing those links in the target directory, itself. - Update the upper bound of stdlib to < 6.0.0
- Update a URL in the README.md
- Fri Sep 07 2018 Liz Nemsick lnemsick.simp@gmail.com - 6.0.4-0
- Drop Hiera 4 support
- Update badges and contribution guide URL in README.md
- Wed Jul 18 2018 Trevor Vaughan tvaughan@onyxpoint.com - 6.0.4-0
- Add support for OEL and Puppet 5
- Mon Apr 16 2018 Nick Miller nick.miller@onyxpoint.com - 6.0.3-0
- pki::copy's source parameter now accepts any string to allow for use of NSS and remote file sources.
- Cleanup unneeded fixtures
- Update version range of auditd dependency in metadata.json
- Mon Dec 11 2017 Trevor Vaughan tvaughan@onyxpoint.com - 6.0.2-0
- Ensure that /etc/pki/simp_apps is recursively purged so that old certificates are not left on the system
- Adds a new param,
$certname
, that controls the name of the certs in keydist that will be copied over. This used to be set to$facts['fqdn']
without an option to change it, now it will default to$trusted['certname']
- Thu Jul 06 2017 Liz Nemsick lnemsick.simp@gmail.com - 6.0.1-0
- Update puppet dependency and remove OBE pe dependency in metadata.json
- Wed Jan 11 2017 Nick Markowski nmarkowski@keywcorp.com - 6.0.0-0
- SIMP certs are now managed in /etc/pki/simp/x509, and application certs in /etc/pki/simp_apps/<app_name>/x509.
- Tue Jan 10 2017 Nick Miller nick.miller@onyxpoint.com - 6.0.0-0
- Changed default location of keydist certs from the files directory of the pki module unless $pki is set to 'simp', when it will pull from pki_files in a different module path instead.
- Mon Jan 09 2017 Nick Markowski nmarkowski@keywcorp.com - 6.0.0-0
- Set perms on simp_apps to 644/755; apps were being denied access to their own certs because they could not access /etc/pki/simp_apps.
- We have made the decision to centralize application certificates when simp is managing pki (simp_options::pki => true or 'simp'). This update re-tools pki::copy to better handle managing certs in /etc/pki/simp_apps.
- Mon Dec 26 2016 Trevor Vaughan tvaughan@onyxpoint.com - 6.0.0-0
- Changed pki::pki_dir parameter to pki::base_dir
- Updated acceptance tests
- Fixed bugs in ordering
- Tue Dec 13 2016 Jeanne Greulich jgreulich.greulich@onyxpoint.com - 6.0.0-0
- Global catalyst updates
- Strong Type updates
- Changed default for pki directory to /etc/pki/simp from /etc/pki
- Wed Nov 23 2016 Jeanne Greulich jgreulich.greulich@onyxpoint.com - 5.0.0-0
- update requirement versions
- Mon Nov 21 2016 Chris Tessmer chris.tessmer@onyxpoint.com - 5.0.0-0
- Updated to compliance_markup version 2
- Fri Sep 30 2016 Chris Tessmer chris.tessmer@onyxpoint.com - 4.2.4-0
- Fixed dependencies in
metadata.json
prior to a Forge push.
- Wed Jul 06 2016 Trevor Vaughan tvaughan@onyxpoint.com - 4.2.3-0
- Fixed a permissions flapping issue between a file resource and the 'sync' provider.
- Tue Apr 12 2016 Kendall Moore kendall.moore@onyxpoint.com - 4.2.2-0
- Removed custom type deprecation warning
- Mon Mar 28 2016 Trevor Vaughan tvaughan@onyxpoint.com - 4.2.1-0
- Removed extraneous cacerts keys
- Updated the README
- Fixed code comments
- Sat Mar 19 2016 Trevor Vaughan tvaughan@onyxpoint.com - 4.2.0-0
- Added the ability to copy from arbitrary OS locations for pki::copy. This was mainly to support stunnel.
- Tue Feb 23 2016 Ralph Wright ralph.wright@onyxpoint.com - 4.1.0-9
- Added compliance function support
- Mon Jan 18 2016 Carl Caum carl@puppetlabs.com - 4.1.0-8
- Allow PKI file content source to be modified.
- Mon Dec 14 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-7
- Remove erroneous test5.simp.vm key from the keydist directory
- Mon Nov 09 2015 Chris Tessmer chris.tessmer@onyxpoint.com - 4.1.0-6
- Migration to simplib and simpcat (lib/ only)
- Tue Oct 13 2015 Nick Markowski nmarkowski@keywcorp.com - 4.1.0-5
- If a directory is placed in keydist/cacerts, the directory structure is copied to pki/cacerts, and all certs in subdirectories are appended to cacerts.pem.
- If a directory is removed from keydist/cacerts, it is now forcibly removed from .cacerts_ingress.
- Thu Feb 12 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-4
- Moved things to the new 'simp' environment
- Ensure the requirements on packages are appropriately defined
- Mon Feb 09 2015 Nick Markowski nmarkowski@keywcorp.com - 4.1.0-3
- A public RSA key is now generated off off the system private key, and placed in /etc/pki/public/fqdn_rsa.pem
- Sun Jun 22 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-2
- Removed MD5 file checksums for FIPS compliance.
- Fri Jun 20 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-2
- Modified code in the pki_cert_sync provider for Ruby 2 compatibility.
- Thu May 15 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-1
- Updated pki_cert_sync to (re)build a concatenated cacerts.pem file which is a bundled file of all valid CA certs in /etc/pki/cacerts.
- Tue Apr 08 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-0
- Updated manifests for puppet 3 and hiera compatibility.
- Refactored manifests to pass all lint tests.
- Removed the pki::pre class as all functionality now exists in the pki class.
- Added spec tests.
- Mon Mar 17 2014 Trevor Vaughan tvaughan@onyxpoint.com - 3.0.0-0
- Added a pki::copy define for properly copying the entire PKI set to an alternate location on the system with proper ordering.
- Rolled the pki::pre class into the main pki class.
- Mon Feb 17 2014 Kendall Moore kmoore@keywcorp.com - 2.0.0-6
- Added autorequire to pki_cert_sync for file destination.
- Fri May 31 2013 Trevor Vaughan tvaughan@onyxpoint.com - 2.0.0-5
- Created a native type to replace the hack set of execs for CA certificate synchronization. This is not perfect but it is far faster and better. Ideally, the type would be able to pull the files from the Puppet server itself. Also, the file resource for '/etc/pki/cacerts' was preserved for legacy code notification compatibility.
- Wed Apr 11 2012 Trevor Vaughan tvaughan@onyxpoint.com - 2.0.0-4
- Moved mit-tests to /usr/share/simp...
- Updated pp files to better meet Puppet's recommended style guide.
- Fri Mar 02 2012 Trevor Vaughan tvaughan@onyxpoint.com - 2.0.0-3
- Improved test stubs.
- Wed Dec 14 2011 Trevor Vaughan tvaughan@onyxpoint.com - 2.0.0-2
- Added an initial suite of tests
- Fixed the creation of certificate hashes and now hash on 'subject' not 'issuer'.
- Updated the spec file to not require a separate file list.
- The certificate hash script had errors with cert hashes beginning with a '0' as well as hashing on the issuer not the subject. Also, cleaned up the way the intermediate directory cleanup is handled.
- Thu Oct 27 2011 Trevor Vaughan tvaughan@onyxpoint.com - 2.0.0-1
- Updated the PKI module to create a two-step certificate placement so that the certificate hashes can be generated on the client. This is done due to RHEL6 using a different hashing algorithm than RHEL5
- Tue Jan 11 2011 Trevor Vaughan tvaughan@onyxpoint.com - 2.0.0-0
- Refactored for SIMP-2.0.0-alpha release
- Tue Oct 26 2010 Trevor Vaughan tvaughan@onyxpoint.com - 1-2
- Converting all spec files to check for directories prior to copy.
- Thu Jun 10 2010 Trevor Vaughan tvaughan@onyxpoint.com - 1.0-1
- No templates to copy in caused an RPM build failure.
- Mon May 24 2010 Trevor Vaughan tvaughan@onyxpoint.com - 1.0-0
- Code refactor and doc updates.
Dependencies
- puppetlabs/stdlib (>= 6.6.0 < 8.0.0)
- simp/simplib (>= 3.1.0 < 5.0.0)
pupmod-simp-pki - A Puppet Module for managing host PKI certificates -- Per Section 105 of the Copyright Act of 1976, these works are not entitled to domestic copyright protection under US Federal law. The US Government retains the right to pursue copyright protections outside of the United States. The United States Government has unlimited rights in this software and all derivatives thereof, pursuant to the contracts under which it was developed and the License under which it falls. --- Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.