cryptography
New in version 3006.0: This module represents a complete rewrite of the original x509
modules
and is named x509_v2
since it introduces breaking changes.
Changed in version 3008.0: This module is now the default x509
module and therefore does not need
to be enabled explicitly anymore.
Note
PKCS12-related operations require at least cryptography release 36.
PKCS12-related operations with Edwards-curve keys require at least cryptography release 37.
PKCS7-related operations require at least cryptography release 37.
To be able to remotely sign certificates, it is required to configure the Salt master to allow Peer Communication:
# /etc/salt/master.d/peer.conf
peer:
.*:
- x509.sign_remote_certificate
In order for the Compound Matcher to work with restricting signing
policies to a subset of minions, in addition calls to
match.compound_matches
by the minion acting as the CA must be permitted:
# /etc/salt/master.d/peer.conf
peer:
.*:
- x509.sign_remote_certificate
peer_run:
ca_server:
- match.compound_matches
Note
When compound match expressions are employed, pillar values can only be matched literally. This is a barrier to enumeration attacks by the CA server.
Also note that compound matching requires a minion data cache on the master.
Any certificate signing request will be denied if minion_data_cache
is
disabled (it is enabled by default).
Note
Since grain values are controlled by minions, you should avoid using them to restrict certificate issuance.
Changed in version 3007.0: Previously, a compound expression match was validated by the requesting minion itself via peer publishing, which did not protect from compromised minions. The new match validation takes place on the master using peer running.
In addition, the minion representing the CA needs to have at least one signing policy configured, remote calls not referencing one are always rejected.
The parameters specified in this signing policy override any
parameters passed from the minion requesting the certificate. It can be
configured in the CA minion's pillar, which takes precedence, or any
location config.get
looks up in.
Signing policies are defined under x509_signing_policies
.
You can restrict which minions can request a certificate under a configured
signing policy by specifying a matcher in minions
. This can be a glob
or compound matcher (for the latter, see the notes above).
x509_signing_policies:
www:
- minions: 'www*'
- signing_private_key: /etc/pki/ca.key
- signing_cert: /etc/pki/ca.crt
- C: US
- ST: Utah
- L: Salt Lake City
- basicConstraints: "critical, CA:false"
- keyUsage: "critical, cRLSign, keyCertSign"
- subjectKeyIdentifier: hash
- authorityKeyIdentifier: keyid,issuer:always
- days_valid: 90
- copypath: /etc/pki/issued_certs/
Note
The following semantics are applied regarding the order of preference for specifying the subject name:
If neither subject
nor any name attributes (like CN
) are part of the policy,
issued certificates can contain any requested ones.
If any name attributes are specified in the signing policy, subject
contained
in requests is ignored.
If subject
is specified in the signing policy, any name attributes are ignored.
If the request contains the same data type for subject
as the signing policy
(for dicts and lists, and only then), merging is performed, otherwise subject
is taken from the signing policy. Dicts are merged and list items are appended,
with the items taken from the signing policy having priority.
x509
modules¶The output format has changed for all read_*
functions as well as the state return dict.
The formatting of some extension definitions might have changed, but should be stable for most basic use cases.
The default ordering of RDNs/Name Attributes in the subject's Distinguished Name has been adapted to industry standards. This might cause a reissuance during the first state run.
For x509.private_key_managed
, the file mode defaults to 0400
. This should
be considered a bug fix because writing private keys with world-readable
permissions by default is a security issue.
Restricting signing policies using compound match expressions requires peer run permissions instead of peer publishing permissions:
# x509, x509_v2 in 3006.*
peer:
ca_server:
- match.compound
# x509_v2 from 3007.0 onwards
peer_run:
ca_server:
- match.compound_matches
Note that when a ca_server
is involved, both peers must use the updated module version.
Until they are removed, you can still revert to the deprecated x509
modules
by setting the following minion configuration value:
# /etc/salt/minion.d/x509.conf
features:
x509_v2: false
Create an X.509 certificate and return an encoded version of it.
Note
All parameters that take a public key, private key or certificate can be specified either as a PEM/hex/base64 string or a path to a local file encoded in all supported formats for the type.
CLI Example:
salt '*' x509.create_certificate signing_private_key='/etc/pki/myca.key' csr='/etc/pki/my.csr'
Request a remotely signed certificate from ca_server. For this to
work, a signing_policy
must be specified, and that same policy
must be configured on the ca_server. See Signing policies for
details. Also, the Salt master must permit peers to call the
sign_remote_certificate
function, see Peer communication.
The name of a configured signing policy. Parameters specified in there are hardcoded and cannot be overridden. This is required for remote signing, otherwise optional. See Signing policies for details.
Specify the encoding of the resulting certificate. It can be returned
as a pem
(or pkcs7_pem
) string or several (base64-encoded)
binary formats (der
, pkcs7_der
, pkcs12
). Defaults to pem
.
A list of additional certificates to append to the new one, e.g. to create a CA chain.
Note
Mind that when der
encoding is in use, appending certificatees is prohibited.
Create a copy of the issued certificate in PEM format in this directory.
The file will be named <serial_number>.crt
if prepend_cn is False.
When copypath
is set, prepend the common name of the certificate to
the file name like so: <CN>-<serial_number>.crt
. Defaults to false.
When encoding a certificate as pkcs12
, encrypt it with this passphrase.
Note
PKCS12 encryption is very weak and should not be relied on for security.
OpenSSL 3 and cryptography v37 switched to a much more secure default encryption for PKCS12, which might be incompatible with some systems. This forces the legacy encryption. Defaults to False.
When encoding a certificate as pkcs12
, a name for the certificate can be included.
Instead of returning the certificate, write it to this file path.
If path
is specified and the file exists, overwrite it.
Defaults to true.
Return the encoded raw bytes instead of a string. Defaults to false.
The hashing algorithm to use for the signature. Valid values are:
sha1, sha224, sha256, sha384, sha512, sha512_224, sha512_256, sha3_224,
sha3_256, sha3_384, sha3_512. Defaults to sha256
.
This will be ignored for ed25519
and ed448
key types.
The private key corresponding to the public key the certificate should
be issued for. This is one way of specifying the public key that will
be included in the certificate, the other ones being public_key
and csr
.
If private_key
is specified and encrypted, the passphrase to decrypt it.
The public key the certificate should be issued for. Other ways of passing
the required information are private_key
and csr
. If neither are set,
the public key of the signing_private_key
will be included, i.e.
a self-signed certificate is generated.
A certificate signing request to use as a base for generating the certificate. The following information will be respected, depending on configuration: * public key * extensions, if not otherwise specified (arguments, signing_policy)
The CA certificate to be used for signing the issued certificate.
The private key corresponding to the public key in signing_cert
. Required.
If signing_private_key
is encrypted, the passphrase to decrypt it.
A serial number to be embedded in the certificate. If unspecified, will autogenerate one. This should be an integer, either in decimal or hexadecimal notation.
Set a specific date the certificate should not be valid before.
The format should follow %Y-%m-%d %H:%M:%S
and will be interpreted as GMT/UTC.
Defaults to the time of issuance.
Set a specific date the certificate should not be valid after.
The format should follow %Y-%m-%d %H:%M:%S
and will be interpreted as GMT/UTC.
If unspecified, defaults to the current time plus days_valid
days.
If not_after
is unspecified, the number of days from the time of issuance
the certificate should be valid for. Defaults to 30
.
The subject's distinguished name embedded in the certificate. This is one way of
passing this information (see kwargs
below for the other).
This argument will be preferred and allows to control the order of RDNs in the DN
as well as to embed RDNs with multiple attributes.
This can be specified as an RFC4514-encoded string (CN=example.com,O=Example Inc,C=US
,
mind that the rendered order is reversed from what is embedded), a list
of RDNs encoded as in RFC4514 (["C=US", "O=Example Inc", "CN=example.com"]
)
or a dictionary ({"CN": "example.com", "C": "US", "O": "Example Inc"}
,
default ordering).
Multiple name attributes per RDN are concatenated with a +
.
Note
Parsing of RFC4514 strings requires at least cryptography release 37.
Embedded X.509v3 extensions and the subject's distinguished name can be controlled via supplemental keyword arguments. See the following for an overview.
C, ST, L, STREET, O, OU, CN, MAIL, SN, GN, UID, SERIALNUMBER
Most extensions can be configured using the same string format as OpenSSL,
while some require adjustments. In general, since the strings are
parsed to dicts/lists, you can always use the latter formats directly.
Marking an extension as critical is done by including it at the beginning
of the configuration string, in the list or as a key in the dictionary
with the value true
.
Examples (some showcase dict/list correspondance):
critical, CA:TRUE, pathlen:1
or
- basicConstraints:
critical: true
ca: true
pathlen: 1
critical, cRLSign, keyCertSign
or
- keyUsage:
- critical
- cRLSign
- keyCertSign
This can be an explicit value or hash
, in which case the value
will be set to the SHA1 hash of some encoding of the associated public key,
depending on the underlying algorithm (RSA/ECDSA/EdDSA).
keyid:always, issuer
There is support for all OpenSSL-defined types except otherName
.
email:me@example.com,DNS:example.com
or
# mind this being a list, not a dict
- subjectAltName:
- email:me@example.com
- DNS:example.com
The syntax is the same as for subjectAltName
, except that the additional
value issuer:copy
is supported, which will copy the values of
subjectAltName
in the issuer's certificate.
OCSP;URI:http://ocsp.example.com/,caIssuers;URI:http://myca.example.com/ca.cer
When set to a string value, items are interpreted as fullnames:
URI:http://example.com/myca.crl, URI:http://example.org/my.crl
There is also support for more attributes using the full form:
- crlDistributionPoints:
- fullname: URI:http://example.com/myca.crl
crlissuer: DNS:example.org
reasons:
- keyCompromise
- URI:http://example.org/my.crl
critical, 1.2.4.5, 1.1.3.4
Again, there is support for more attributes using the full form:
- certificatePolicies:
critical: true
1.2.3.4.5: https://my.ca.com/pratice_statement
1.2.4.5.6:
- https://my.ca.com/pratice_statement
- organization: myorg
noticeNumbers: [1, 2, 3]
text: mytext
requireExplicitPolicy:3,inhibitPolicyMapping:1
The value is just an integer: - inhibitAnyPolicy: 1
critical,permitted;IP:192.168.0.0/255.255.0.0,permitted;email:.example.com,excluded;email:.com
- nameConstraints:
critical: true
permitted:
- IP:192.168.0.0/24
- email:.example.com
excluded:
- email:.com
This extension does not take any values, except critical
. Just the presence
in the keyword args will include it.
status_request
For more information, visit the OpenSSL docs.
Create a certificate revocation list.
CLI Example:
salt '*' x509.create_crl signing_cert=/etc/pki/ca.crt signing_private_key=/etc/pki/ca.key revoked="[{'certificate': '/etc/pki/certs/www1.crt', 'revocation_date': '2015-03-01 00:00:00'}]"
Your certificate authority's private key. It will be used to sign the CRL. Required.
A list of dicts containing all the certificates to revoke. Each dict
represents one certificate. A dict must contain either the key
serial_number
with the value of the serial number to revoke, or
certificate
with some reference to the certificate to revoke.
The dict can optionally contain the revocation_date
key. If this
key is omitted, the revocation date will be set to now. It should be a
string in the format "%Y-%m-%d %H:%M:%S".
The dict can also optionally contain the not_after
key. This is
redundant if the certificate
key is included, since it will be
sourced from the certificate. If the certificate
key is not included,
this can be used for the logic behind the include_expired
parameter.
It should be a string in the format "%Y-%m-%d %H:%M:%S".
The dict can also optionally contain the extensions
key, which
allows to set CRL entry-specific extensions. The following extensions
are supported:
Identifies the certificate issuer associated with an entry in an indirect CRL. The format is the same as for subjectAltName.
Identifies the reason for certificate revocation.
Available choices are unspecified
, keyCompromise
, CACompromise
,
affiliationChanged
, superseded
, cessationOfOperation
,
certificateHold
, privilegeWithdrawn
, aACompromise
and
removeFromCRL
.
Provides the date on which the certificate likely became invalid.
The value should be a string in the same format as revocation_date
.
The CA certificate to be used for signing the CRL.
If signing_private_key
is encrypted, the passphrase to decrypt it.
Also include already expired certificates in the CRL. Defaults to false.
The number of days the CRL should be valid for. This sets the Next Update
field. Defaults to 100
(until v3009) or 7
(from v3009 onwards).
The hashing algorithm to use for the signature. Valid values are:
sha1, sha224, sha256, sha384, sha512, sha512_224, sha512_256, sha3_224,
sha3_256, sha3_384, sha3_512. Defaults to sha256
.
This will be ignored for ed25519
and ed448
key types.
Specify the encoding of the resulting certificate revocation list.
It can be returned as a pem
string or base64-encoded der
.
Defaults to pem
.
Add CRL extensions. The following are available:
Specifies a sequential number for each CRL issued by a CA. Values must be integers.
If the CRL is a delta CRL, this value points to the cRLNumber of the base cRL. Values must be integers.
Identifies how delta CRL information is obtained. The format
is the same as crlDistributionPoints
.
Identifies the CRL distribution point for a particular CRL and
indicates what kinds of revocation it covers. The format is
comparable to crlDistributionPoints
. Specify as follows:
issuingDistributionPoint:
fullname: # or relativename with RDN
- URI:http://example.com/myca.crl
onlysomereasons:
- keyCompromise
onlyuser: true
onlyCA: true
onlyAA: true
indirectCRL: false
Instead of returning the CRL, write it to this file path.
Return the encoded raw bytes instead of a string. Defaults to false.
Create a certificate signing request.
CLI Example:
salt '*' x509.create_csr private_key='/etc/pki/myca.key' CN='My Cert'
The private key corresponding to the public key the certificate should be issued for. The CSR will be signed by it. Required.
If private_key
is encrypted, the passphrase to decrypt it.
The hashing algorithm to use for the signature. Valid values are:
sha1, sha224, sha256, sha384, sha512, sha512_224, sha512_256, sha3_224,
sha3_256, sha3_384, sha3_512. Defaults to sha256
.
This will be ignored for ed25519
and ed448
key types.
Specify the encoding of the resulting certificate signing request.
It can be returned as a pem
string or base64-encoded der
.
Defaults to pem
.
Instead of returning the CSR, write it to this file path.
Return the encoded raw bytes instead of a string. Defaults to false.
Embedded X.509v3 extensions and the subject's distinguished name can be
controlled via supplemental keyword arguments.
See x509.create_certificate
for an overview. Mind that some extensions are not available for CSR
(authorityInfoAccess
, authorityKeyIdentifier
,
issuerAltName
, crlDistributionPoints
).
Create a private key.
CLI Example:
salt '*' x509.create_private_key algo=ec keysize=384
The digital signature scheme the private key should be based on.
Available: rsa
, ec
, ed25519
, ed448
. Defaults to rsa
.
For rsa
, specifies the bitlength of the private key (2048, 3072, 4096).
For ec
, specifies the NIST curve to use (256, 384, 521).
Irrelevant for Edwards-curve schemes (ed25519
, ed448
).
Defaults to 2048 for RSA and 256 for EC.
If this is specified, the private key will be encrypted using this passphrase. The encryption algorithm cannot be selected, it will be determined automatically as the best available one.
Specify the encoding of the resulting private key. It can be returned
as a pem
string, base64-encoded der
or base64-encoded pkcs12
.
Defaults to pem
.
Some operating systems are incompatible with the encryption defaults
for PKCS12 used since OpenSSL v3. This switch triggers a fallback to
PBESv1SHA1And3KeyTripleDESCBC
.
Please consider the notes on PKCS12 encryption.
Instead of returning the private key, write it to this file path. Note that this does not use safe permissions and should be avoided.
Return the encoded raw bytes instead of a string. Defaults to false.
Create an encoded representation of a certificate, optionally including
other structures. This can be used to create certificate chains, convert
a certificate into a different encoding or embed the corresponding
private key (for pkcs12
).
CLI Example:
salt '*' x509.encode_certificate /etc/pki/my.crt pem /etc/pki/ca.crt
The certificate to encode.
Specify the encoding of the resulting certificate. It can be returned
as a pem
(or pkcs7_pem
) string or several (base64-encoded)
binary formats (der
, pkcs7_der
, pkcs12
). Defaults to pem
.
A list of additional certificates to encode with the new one, e.g. to create a CA chain.
Note
Mind that when der
encoding is in use, appending certificatees is prohibited.
For pkcs12
, the private key corresponding to the public key of the certificate
to be embedded.
For pkcs12
, if the private key to embed is encrypted, specify the corresponding
passphrase.
For pkcs12
, the container can be encrypted. Specify the passphrase to use here.
Mind that PKCS12 encryption should not be relied on for security purposes, see
note above in x509.create_certificate
.
OpenSSL 3 and cryptography v37 switched to a much more secure default encryption for PKCS12, which might be incompatible with some systems. This forces the legacy encryption. Defaults to False.
When encoding a certificate as pkcs12
, a name for the certificate can be included.
Return the encoded raw bytes instead of a string. Defaults to false.
Create an encoded representation of a certificate revocation list.
CLI Example:
salt '*' x509.encode_crl /etc/pki/my.crl der
The certificate revocation list to encode.
Specify the encoding of the resulting certificate revocation list.
It can be returned as a pem
string or base64-encoded der
.
Defaults to pem
.
Return the encoded raw bytes instead of a string. Defaults to false.
Create an encoded representation of a certificate signing request.
CLI Example:
salt '*' x509.encode_csr /etc/pki/my.csr der
The certificate signing request to encode.
Specify the encoding of the resulting certificate signing request.
It can be returned as a pem
string or base64-encoded der
.
Defaults to pem
.
Return the encoded raw bytes instead of a string. Defaults to false.
Create an encoded representation of a private key.
CLI Example:
salt '*' x509.encode_private_key /etc/pki/my.key der
The private key to encode.
Specify the encoding of the resulting private key. It can be returned
as a pem
string, base64-encoded der
and base64-encoded pkcs12
.
Defaults to pem
.
If this is specified, the private key will be encrypted using this passphrase. The encryption algorithm cannot be selected, it will be determined automatically as the best available one.
New in version 3006.2.
If the current private_key
is encrypted, the passphrase to
decrypt it.
Some operating systems are incompatible with the encryption defaults
for PKCS12 used since OpenSSL v3. This switch triggers a fallback to
PBESv1SHA1And3KeyTripleDESCBC
.
Please consider the notes on PKCS12 encryption.
Return the encoded raw bytes instead of a string. Defaults to false.
Returns a dict containing limited details of a certificate and whether the certificate has expired.
CLI Example:
salt '*' x509.expired /etc/pki/mycert.crt
The certificate to check.
Determine whether a certificate will expire or has expired already. Returns a boolean only.
CLI Example:
salt '*' x509.expires /etc/pki/my.crt days=7
The certificate to check.
If specified, determine expiration x days in the future.
Defaults to 0
, which checks for the current time.
Returns a dict containing PEM entries in files matching a glob.
CLI Example:
salt '*' x509.get_pem_entries "/etc/pki/*.crt"
A path representing certificates to be read and returned.
Returns a properly formatted PEM string from the input text, fixing any whitespace or line-break issues.
CLI Example:
salt '*' x509.get_pem_entry "-----BEGIN CERTIFICATE REQUEST-----MIICyzCC Ar8CAQI...-----END CERTIFICATE REQUEST"
Text containing the X509 PEM entry to be returned or path to a file containing the text.
If specified, this function will only return a pem of a certain type, for example 'CERTIFICATE' or 'CERTIFICATE REQUEST'.
Return information about the keysize of a private key (RSA/EC).
CLI Example:
salt '*' x509.get_private_key_size /etc/pki/my.key
The private key to check.
If private_key
is encrypted, the passphrase to decrypt it.
Returns a PEM-encoded public key derived from some reference. The reference should be a public key, certificate, private key or CSR.
CLI Example:
salt '*' x509.get_public_key /etc/pki/my.key
A reference to the structure to look the public key up for.
If key
is encrypted, the passphrase to decrypt it.
Returns the specified named signing policy.
CLI Example:
salt '*' x509.get_signing_policy www
The name of the signing policy to return.
If this is set, the CA server will be queried for the signing policy instead of looking it up locally.
Returns a dict containing details of a certificate.
CLI Example:
salt '*' x509.read_certificate /etc/pki/mycert.crt
The certificate to read.
Returns a dict containing details of all certificates matching a glob.
CLI Example:
salt '*' x509.read_certificates "/etc/pki/*.crt"
A path to certificates to be read and returned.
Returns a dict containing details of a certificate revocation list.
CLI Example:
salt '*' x509.read_crl /etc/pki/my.crl
The certificate revocation list to read.
Returns a dict containing details of a certificate signing request.
CLI Example:
salt '*' x509.read_csr /etc/pki/mycert.csr
The certificate signing request to read.
Request a certificate to be remotely signed according to a signing policy. This is mostly for internal use and does not make much sense on the CLI.
CLI Example:
salt '*' x509.sign_remote_certificate www kwargs="{'public_key': '/etc/pki/www.key'}"
The name of the signing policy to use. Required.
A dict containing all the arguments to be passed into the
x509.create_certificate
function.
Only return the named signing policy. Defaults to false.
Verify that a signature on a certificate revocation list was made by the private key corresponding to the public key associated with the specified certificate.
CLI Example:
salt '*' x509.verify_crl /etc/pki/my.crl /etc/pki/my.crt
The certificate revocation list to check the signature on.
The certificate (or any reference that can be passed
to get_public_key
) to retrieve the public key from.
Verify that a private key belongs to the specified public key.
CLI Example:
salt '*' x509.verify_private_key /etc/pki/my.key /etc/pki/my.crt
The private key to check.
The certificate (or any reference that can be passed
to get_public_key
) to retrieve the public key from.
If private_key
is encrypted, the passphrase to decrypt it.
Verify that a signature on a certificate was made by the private key corresponding to the public key associated with the specified certificate.
CLI Example:
salt '*' x509.verify_signature /etc/pki/my.key /etc/pki/my.crt
The certificate to check the signature on.
Any reference that can be passed to get_public_key
to retrieve
the public key of the signing entity from. If unspecified, will
take the public key of certificate
, i.e. verify a self-signed
certificate.
signing_pub_key_passphrase
If
signing_pub_key
is encrypted, the passphrase to decrypt it.
Returns a dict containing details of a certificate and whether the certificate will expire in the specified number of days.
CLI Example:
salt '*' x509.will_expire "/etc/pki/mycert.crt" days=30
The certificate to check.
The number of days in the future to check the validity for.
Writes out a PEM string, fixing any formatting or whitespace issues before writing.
CLI Example:
salt '*' x509.write_pem "-----BEGIN CERTIFICATE-----MIIGMzCCBBugA..." path=/etc/pki/mycert.crt
PEM string input to be written out.
Path of the file to write the PEM out to.
If True
(default), write_pem will overwrite the entire PEM file.
Set to False
to preserve existing private keys and DH params that may
exist in the PEM file.
The PEM type to be saved, for example CERTIFICATE
or
PUBLIC KEY
. Adding this will allow the function to take
input that may contain multiple PEM types.