Manage X509 certificates
New in version 2015.8.0.
M2Crypto
Deprecated since version 3006.0.
Warning
This module has been deprecated and will be removed in Salt 3009 (Potassium). Please migrate to the replacement modules. For breaking changes between both versions, you can refer to the x509_v2 execution module docs.
They have become the default x509
modules in Salt 3008.0 (Argon).
Until they are removed, you can still revert to the deprecated modules
by setting features: {x509_v2: false}
in your minion configuration.
Create an X509 certificate.
Path to write the certificate to.
If True
, return the PEM text without writing to a file.
Default False
.
If True
(default), create_certificate will overwrite the entire PEM
file. Set False to preserve existing private keys and dh params that
may exist in the PEM file.
Any of the properties below can be included as additional keyword arguments.
Request a remotely signed certificate from ca_server. For this to
work, a signing_policy
must be specified, and that same policy
must be configured on the ca_server. See signing_policy
for
details. Also, the salt master must permit peers to call the
sign_remote_certificate
function.
Example:
/etc/salt/master.d/peer.conf
peer:
.*:
- x509.sign_remote_certificate
Any of the values below can be included to set subject properties Any other subject properties supported by OpenSSL should also work.
2 letter Country code
Certificate common name, typically the FQDN.
Email address
Given Name
Locality
Organization
Organization Unit
SurName
State or Province
A path or string of the private key in PEM format that will be used
to sign this certificate. If neither signing_cert
, public_key
,
or csr
are included, it will be assumed that this is a self-signed
certificate, and the public key matching signing_private_key
will
be used to create the certificate.
Passphrase used to decrypt the signing_private_key.
A certificate matching the private key that will be used to sign this certificate. This is used to populate the issuer values in the resulting certificate. Do not include this value for self-signed certificates.
The public key to be included in this certificate. This can be sourced
from a public key, certificate, CSR or private key. If a private key
is used, the matching public key from the private key will be
generated before any processing is done. This means you can request a
certificate from a remote CA using a private key file as your
public_key and only the public key will be sent across the network to
the CA. If neither public_key
or csr
are specified, it will be
assumed that this is a self-signed certificate, and the public key
derived from signing_private_key
will be used. Specify either
public_key
or csr
, not both. Because you can input a CSR as a
public key or as a CSR, it is important to understand the difference.
If you import a CSR as a public key, only the public key will be added
to the certificate, subject or extension information in the CSR will
be lost.
If the public key is supplied as a private key, this is the passphrase used to decrypt it.
A file or PEM string containing a certificate signing request. This will be used to supply the subject, extensions and public key of a certificate. Any subject or extensions specified explicitly will overwrite any in the CSR.
X509v3 Basic Constraints extension.
The following arguments set X509v3 Extension values. If the value
starts with critical
, the extension will be marked as critical.
Some special extensions are subjectKeyIdentifier
and
authorityKeyIdentifier
.
subjectKeyIdentifier
can be an explicit value or it can be the
special string hash
. hash
will set the subjectKeyIdentifier
equal to the SHA1 hash of the modulus of the public key in this
certificate. Note that this is not the exact same hashing method used
by OpenSSL when using the hash value.
authorityKeyIdentifier
Use values acceptable to the openssl CLI
tools. This will automatically populate authorityKeyIdentifier
with the subjectKeyIdentifier
of signing_cert
. If this is a
self-signed cert these values will be the same.
X509v3 Basic Constraints
X509v3 Key Usage
X509v3 Extended Key Usage
X509v3 Subject Key Identifier
X509v3 Issuer Alternative Name
X509v3 Subject Alternative Name
X509v3 CRL Distribution Points
X509v3 Issuing Distribution Point
X509v3 Certificate Policies
X509v3 Policy Constraints
X509v3 Inhibit Any Policy
X509v3 Name Constraints
X509v3 OCSP No Check
Netscape Comment
Netscape Certificate Type
The number of days this certificate should be valid. This sets the
notAfter
property of the certificate. Defaults to 365.
The version of the X509 certificate. Defaults to 3. This is
automatically converted to the version value, so version=3
sets the certificate version field to 0x2.
The serial number to assign to this certificate. If omitted a random
serial number of size serial_bits
is generated.
The number of bits to use when randomly generating a serial number. Defaults to 64.
The hashing algorithm to be used for signing this certificate. Defaults to sha256.
An additional path to copy the resulting certificate to. Can be used to maintain a copy of all certificates issued for revocation purposes.
If set to True, the CN and a dash will be prepended to the copypath's filename.
/etc/pki/issued_certs/www.example.com-DE:CA:FB:AD:00:00:00:00.crt
A signing policy that should be used to create this certificate.
Signing policies should be defined in the minion configuration, or in
a minion pillar. It should be a YAML formatted list of arguments
which will override any arguments passed to this function. If the
minions
key is included in the signing policy, only minions
matching that pattern (see match.glob and match.compound) will be
permitted to remotely request certificates from that policy.
In order to match.compound
to work salt master must peers permit
peers to call it.
Example:
/etc/salt/master.d/peer.conf
peer:
.*:
- match.compound
Example:
x509_signing_policies:
www:
- minions: 'www*'
- signing_private_key: /etc/pki/ca.key
- signing_cert: /etc/pki/ca.crt
- C: US
- ST: Utah
- L: Salt Lake City
- basicConstraints: "critical CA:false"
- keyUsage: "critical cRLSign, keyCertSign"
- subjectKeyIdentifier: hash
- authorityKeyIdentifier: keyid,issuer:always
- days_valid: 90
- copypath: /etc/pki/issued_certs/
The above signing policy can be invoked with signing_policy=www
Initial validity date for the certificate. This date must be specified in the format '%Y-%m-%d %H:%M:%S'.
New in version 3001.
Final validity date for the certificate. This date must be specified in the format '%Y-%m-%d %H:%M:%S'.
New in version 3001.
CLI Example:
salt '*' x509.create_certificate path=/etc/pki/myca.crt signing_private_key='/etc/pki/myca.key' csr='/etc/pki/myca.csr'}
Create a CRL
PyOpenSSL Python module
Path to write the CRL to.
If True
, return the PEM text without writing to a file.
Default False
.
A path or string of the private key in PEM format that will be used to sign the CRL. This is required.
Passphrase to decrypt the private key.
A certificate matching the private key that will be used to sign the CRL. This is required.
A list of dicts containing all the certificates to revoke. Each dict
represents one certificate. A dict must contain either the key
serial_number
with the value of the serial number to revoke, or
certificate
with either the PEM encoded text of the certificate,
or a path to the certificate to revoke.
The dict can optionally contain the revocation_date
key. If this
key is omitted the revocation date will be set to now. If should be a
string in the format "%Y-%m-%d %H:%M:%S".
The dict can also optionally contain the not_after
key. This is
redundant if the certificate
key is included. If the
Certificate
key is not included, this can be used for the logic
behind the include_expired
parameter. If should be a string in
the format "%Y-%m-%d %H:%M:%S".
The dict can also optionally contain the reason
key. This is the
reason code for the revocation. Available choices are unspecified
,
keyCompromise
, CACompromise
, affiliationChanged
,
superseded
, cessationOfOperation
and certificateHold
.
Include expired certificates in the CRL. Default is False
.
The number of days that the CRL should be valid. This sets the Next Update field in the CRL.
The digest to use for signing the CRL. This has no effect on versions of pyOpenSSL less than 0.14
CLI Example:
salt '*' x509.create_crl path=/etc/pki/mykey.key \
signing_private_key=/etc/pki/ca.key \
signing_cert=/etc/pki/ca.crt \
revoked="{'compromized-web-key': {'certificate': '/etc/pki/certs/www1.crt', 'revocation_date': '2015-03-01 00:00:00'}}"
Create a certificate signing request.
Path to write the certificate to.
If True
, return the PEM text without writing to a file.
Default False
.
The hashing algorithm to be used for signing this request. Defaults to sha256.
The subject, extension and version arguments from
x509.create_certificate
can be used.
CLI Example:
salt '*' x509.create_csr path=/etc/pki/myca.csr public_key='/etc/pki/myca.key' CN='My Cert'
Creates a private key in PEM format.
The path to write the file to, either path
or text
are required.
If True
, return the PEM text without writing to a file.
Default False
.
Length of the private key in bits. Default 2048
Passphrase for encrypting the private key
Cipher for encrypting the private key. Has no effect if passphrase is None.
Provide visual feedback on stdout. Default True
New in version 2016.11.0.
CLI Example:
salt '*' x509.create_private_key path=/etc/pki/mykey.key
Returns a dict containing limited details of a certificate and whether the certificate has expired.
New in version 2016.11.0.
The certificate to be read. Can be a path to a certificate file, or a string containing the PEM formatted text of the certificate.
CLI Example:
salt '*' x509.expired "/etc/pki/mycert.crt"
Returns a dict containing PEM entries in files matching a glob
A path to certificates to be read and returned.
CLI Example:
salt '*' x509.get_pem_entries "/etc/pki/*.crt"
Returns a properly formatted PEM string from the input text fixing any whitespace or line-break issues
Text containing the X509 PEM entry to be returned or path to a file containing the text.
If specified, this function will only return a pem of a certain type, for example 'CERTIFICATE' or 'CERTIFICATE REQUEST'.
CLI Example:
salt '*' x509.get_pem_entry "-----BEGIN CERTIFICATE REQUEST-----MIICyzCC Ar8CAQI...-----END CERTIFICATE REQUEST"
Returns the bit length of a private key in PEM format.
A path or PEM encoded string containing a private key.
CLI Example:
salt '*' x509.get_private_key_size /etc/pki/mycert.key
Returns a string containing the public key in PEM format.
A path or PEM encoded string containing a CSR, Certificate or Private Key from which a public key can be retrieved.
CLI Example:
salt '*' x509.get_public_key /etc/pki/mycert.cer
Returns the details of a names signing policy, including the text of the public key that will be used to sign it. Does not return the private key.
CLI Example:
salt '*' x509.get_signing_policy www
Returns a dict containing details of a certificate. Input can be a PEM string or file path.
The certificate to be read. Can be a path to a certificate file, or a string containing the PEM formatted text of the certificate.
CLI Example:
salt '*' x509.read_certificate /etc/pki/mycert.crt
Returns a dict containing details of all certificates matching a glob
A path to certificates to be read and returned.
CLI Example:
salt '*' x509.read_certificates "/etc/pki/*.crt"
Returns a dict containing details of a certificate revocation list. Input can be a PEM string or file path.
OpenSSL command line tool
A path or PEM encoded string containing the CRL to read.
CLI Example:
salt '*' x509.read_crl /etc/pki/mycrl.crl
Returns a dict containing details of a certificate request.
OpenSSL command line tool
A path or PEM encoded string containing the CSR to read.
CLI Example:
salt '*' x509.read_csr /etc/pki/mycert.csr
Request a certificate to be remotely signed according to a signing policy.
A dict containing all the arguments to be passed into the create_certificate function. This will become kwargs when passed to create_certificate.
kwargs delivered from publish.publish
CLI Example:
salt '*' x509.sign_remote_certificate argdic="{'public_key': '/etc/pki/www.key', 'signing_policy': 'www'}" __pub_id='www1'
Validate a CRL against a certificate. Parses openssl command line output, this is a workaround for M2Crypto's inability to get them from CSR objects.
The CRL to verify
The certificate to verify the CRL against
CLI Example:
salt '*' x509.verify_crl crl=/etc/pki/myca.crl cert=/etc/pki/myca.crt
Verify that 'private_key' matches 'public_key'
The private key to verify, can be a string or path to a private key in PEM format.
The public key to verify, can be a string or path to a PEM formatted certificate, CSR, or another private key.
Passphrase to decrypt the private key.
CLI Example:
salt '*' x509.verify_private_key private_key=/etc/pki/myca.key \
public_key=/etc/pki/myca.crt
Verify that certificate
has been signed by signing_pub_key
The certificate to verify. Can be a path or string containing a PEM formatted certificate.
The public key to verify, can be a string or path to a PEM formatted certificate, CSR, or private key.
Passphrase to the signing_pub_key if it is an encrypted private key.
CLI Example:
salt '*' x509.verify_signature /etc/pki/mycert.pem \
signing_pub_key=/etc/pki/myca.crt
Returns a dict containing details of a certificate and whether the certificate will expire in the specified number of days. Input can be a PEM string or file path.
New in version 2016.11.0.
The certificate to be read. Can be a path to a certificate file, or a string containing the PEM formatted text of the certificate.
CLI Example:
salt '*' x509.will_expire "/etc/pki/mycert.crt" days=30
Writes out a PEM string fixing any formatting or whitespace issues before writing.
PEM string input to be written out.
Path of the file to write the PEM out to.
If True
(default), write_pem will overwrite the entire PEM file.
Set False to preserve existing private keys and dh params that may
exist in the PEM file.
The PEM type to be saved, for example CERTIFICATE
or
PUBLIC KEY
. Adding this will allow the function to take
input that may contain multiple PEM types.
CLI Example:
salt '*' x509.write_pem "-----BEGIN CERTIFICATE-----MIIGMzCCBBugA..." path=/etc/pki/mycert.crt