salt.modules.win_pki

Microsoft certificate management via the PKI Client PowerShell module. https://technet.microsoft.com/en-us/itpro/powershell/windows/pkiclient/pkiclient

The PKI Client PowerShell module is only available on Windows 8+ and Windows Server 2012+. https://technet.microsoft.com/en-us/library/hh848636(v=wps.620).aspx

platform:

Windows

depends:
  • PowerShell 4

  • PKI Client Module (Windows 8+ / Windows Server 2012+)

New in version 2016.11.0.

salt.modules.win_pki.export_cert(name, thumbprint, cert_format='cer', context='LocalMachine', store='My', password='')

Export the certificate to a file from the given certificate store.

Parameters:
  • name (str) -- The destination path for the exported certificate file.

  • thumbprint (str) -- The thumbprint value of the target certificate.

  • cert_format (str) -- The certificate format. Specify 'cer' for X.509, or 'pfx' for PKCS #12.

  • context (str) -- The name of the certificate store location context.

  • store (str) -- The name of the certificate store.

  • password (str) -- The password of the certificate. Only applicable to pfx format. Note that if used interactively, the password will be seen by all minions. To protect the password, use a state and get the password from pillar.

Returns:

A boolean representing whether all changes succeeded.

Return type:

bool

CLI Example:

salt '*' win_pki.export_cert name='C:\certs\example.cer' thumbprint='AAA000'
salt.modules.win_pki.get_cert_file(name, cert_format='cer', password='')

Get the details of the certificate file.

Parameters:
  • name (str) -- The filesystem path of the certificate file.

  • cert_format (str) -- The certificate format. Specify 'cer' for X.509, or 'pfx' for PKCS #12.

  • password (str) -- The password of the certificate. Only applicable to pfx format. Note that if used interactively, the password will be seen by all minions. To protect the password, use a state and get the password from pillar.

Returns:

A dictionary of the certificate thumbprints and properties.

Return type:

dict

CLI Example:

salt '*' win_pki.get_cert_file name='C:\certs\example.cer'
salt.modules.win_pki.get_certs(context='LocalMachine', store='My')

Get the available certificates in the given store.

Parameters:
  • context (str) -- The name of the certificate store location context.

  • store (str) -- The name of the certificate store.

Returns:

A dictionary of the certificate thumbprints and properties.

Return type:

dict

CLI Example:

salt '*' win_pki.get_certs
salt.modules.win_pki.get_stores()

Get the certificate location contexts and their corresponding stores.

Returns:

A dictionary of the certificate location contexts and stores.

Return type:

dict

CLI Example:

salt '*' win_pki.get_stores
salt.modules.win_pki.import_cert(name, cert_format='cer', context='LocalMachine', store='My', exportable=True, password='', saltenv='base')

Import the certificate file into the given certificate store.

Parameters:
  • name (str) -- The path of the certificate file to import.

  • cert_format (str) -- The certificate format. Specify 'cer' for X.509, or 'pfx' for PKCS #12.

  • context (str) -- The name of the certificate store location context.

  • store (str) -- The name of the certificate store.

  • exportable (bool) -- Mark the certificate as exportable. Only applicable to pfx format.

  • password (str) -- The password of the certificate. Only applicable to pfx format. Note that if used interactively, the password will be seen by all minions. To protect the password, use a state and get the password from pillar.

  • saltenv (str) -- The environment the file resides in.

Returns:

A boolean representing whether all changes succeeded.

Return type:

bool

CLI Example:

salt '*' win_pki.import_cert name='salt://cert.cer'
salt.modules.win_pki.remove_cert(thumbprint, context='LocalMachine', store='My')

Remove the certificate from the given certificate store.

Parameters:
  • thumbprint (str) -- The thumbprint value of the target certificate.

  • context (str) -- The name of the certificate store location context.

  • store (str) -- The name of the certificate store.

Returns:

A boolean representing whether all changes succeeded.

Return type:

bool

CLI Example:

salt '*' win_pki.remove_cert thumbprint='AAA000'
salt.modules.win_pki.test_cert(thumbprint, context='LocalMachine', store='My', untrusted_root=False, dns_name='', eku='')

Check the certificate for validity.

Parameters:
  • thumbprint (str) -- The thumbprint value of the target certificate.

  • context (str) -- The name of the certificate store location context.

  • store (str) -- The name of the certificate store.

  • untrusted_root (bool) -- Whether the root certificate is required to be trusted in chain building.

  • dns_name (str) -- The DNS name to verify as valid for the certificate.

  • eku (str) -- The enhanced key usage object identifiers to verify for the certificate chain.

Returns:

A boolean representing whether the certificate was considered valid.

Return type:

bool

CLI Example:

salt '*' win_pki.test_cert thumbprint='AAA000' dns_name='example.test'