ca_trust

Overview
- Supported Platforms
Module Description
Setup
Usage
- Legacy PEM Anchors
- Anchors from Hiera
Facts
Tasks
Development
TODO
Changes

Overview

Manage CA Trust anchors within the ca-certificates framework.

Supported Platforms

RedHat & Derivatives >= 6.x
Debian & Derivatives >= 8.x
Fedora >= 25

Note: RedHat 6, and deriviates, alongside Debian 8 are now depricated. The EOL of these products is less than a year away. Support for these products will be removed when they reach end of life.

CentOS 8 and Ubuntu 20 do not yet undergo acceptance testing. All other testing applies, but beaker is not yet ready to support these platforms.

Module Description

The ca_trust module is for managing additions to the root CA bundle supplied by OS vendors. Used by applications to establish trust, the root CA bundle is usually shipped containing only 3rd party or commercial CA certificates. Administrators are expected to add their own internal or self signed certificates to the OS vendor supplied bundles as needed.

The module currently supports adding PEM encoded CA anchors.

Setup

To prepare supported operating systems to receive new trusted CA anchors.

include ca_trust

To do the same, but include non-standard options.

class { '::ca_trust':
  cert_dir => '/some/other/directory',
}

See Reference for all options supported by the main class.

Usage

On supported operating systems, the Setup process is entirely unnecessary, simply begin by declaring any ca_trust::pem::anchors necessary.

If things need to be customized, then the ca_trust main class can be specified explicitly, like it is in the Setup section. Alternatively, the ca_trust main class may be customized via hiera.

---
# Hiera YAML file.
# Use some other command to update root bundle certificates instead of
# OS default.
ca_trust::update_cmd: /some/other/binary

# Puppet profile.

include ca_trust

Legacy PEM Anchors

To install new CA certificates into the operating system's trusted bundle, use the ca_trust::pem::anchor type. When specifying anchors, do not specify the filename extension (.crt, .pem, etc.). Some platforms are picky about the extension used, so the module will choose the appropriate default for the platform. For instance, Debian expects the certificates to end in .crt.

ca_trust::pem::anchor { 'self-signed':
  source => 'puppet:///modules/profile/node-one/self-signed-cert.pem',
}

ca_trust::pem::anchor { 'expired-cert':
  ensure => 'absent',
}

ca_trust::pem::anchor { 'My Company\'s Internal CA':
  source   => 'puppet:///modules/profile/organization-ca.pem',
  filename => 'org-ca',
}

$cert_data = @(EOT)
----- BEGIN CERTIFICATE -----
...blah blah blah, PEM encoded certificate here....
----- END CERTIFICATE -----
| EOT

ca_trust::pem::anchor { 'Org-CA':
  content => $cert_data,
}

For convienience you may also specify any anchors you'd like when you declare the ca_trust class, if you are doing so explicitly.

class { '::ca_trust':
  update_cmd => 'my-custom-command.sh',
  anchors    => {
    'org-ca' => {
      'source' => 'puppet:///modules/profile/my-company-ca.pem',
    },
    'expired-ca' => {
      'ensure' => 'absent',
    },
  },
}

Anchors from Hiera

The class ca_trust::pem::anchors is included for hiera convienience. With it, you may pass in a hash of ca_trust::pem::anchor resources to manage.

---
# Node's hiera yaml.
ca_trust::pem::anchors::resources:
  org-ca: 
    source: puppet:///modules/profile/my-company-ca.pem
  expired-ca:
    ensure: absent
  my-ca:
    content: >
      ----- BEGIN CERTIFICATE ------
      .... cert data here .....
      ----- END CERTIFICATE -----

Facts

The following facts are exposed.

trust_bundle - On supported operating systems this fact resolves to the path of the system-wide trusted CA bundle. bundled_authorities - This fact exposes pertinent information for each certificate in the bundle. It returns a hash, keyed on fingerprint.

e.g.

$:facts['bundled_authorities'] = {
  b561ebeaa4dee4254b691a98a55747c234c7d971 => {
    subject => "/C=SK/L=Bratislava/O=Disig a.s./CN=CA Disig Root R2",
    issuer => "/C=SK/L=Bratislava/O=Disig a.s./CN=CA Disig Root R2",
    not_before => "2012-07-19 09:15:30 UTC",
    not_after => "2042-07-19 09:15:30 UTC"
  },
  ...,
  e2b8294b5584ab6b58c290466cac3fb8398f8483 => {
    subject => "/C=CN/O=China Financial Certification Authority/CN=CFCA EV ROOT",
    issuer => "/C=CN/O=China Financial Certification Authority/CN=CFCA EV ROOT",
    not_before => "2012-08-08 03:07:01 UTC",
    not_after => "2029-12-31 03:07:01 UTC"
  }

Tasks

ca_trust::rebuild - Rebuilds the system's CA trust bundle using the operating system's prescribed manner. Note that this rebuild will include any ca_trust::pem::anchors already installed on the system. This will not reset the bundle to system default.

Development

This module has been converted to use the Puppet Development Kit.

Source Validation

pdk validate

Unit Testing

pdk test unit

For better output, or to debug a specific spec, the old standby bundle exec rake spec_prep and bundle exec rspec <filename> still functions flawlessly. Be sure to run bundle exec rake spec_clean before going back to pdk test unit though.

TODO

When beaker is ready to support CentOS 8 and Ubuntu 20, add them to nodesets.
Eventually support should be added for Windows platforms, to install new CA's into the system or user Certificate databases.

Changes

See the change log.

dalalsunil1986 / puppet-ca_trust Goto Github PK

puppet-ca_trust's Introduction