diff --git a/salt/ca/init.sls b/salt/ca/init.sls index c857b331e..4c7973cd0 100644 --- a/salt/ca/init.sls +++ b/salt/ca/init.sls @@ -18,7 +18,7 @@ include: pki_private_key: x509.private_key_managed: - name: /etc/pki/ca.key - - bits: 4096 + - keysize: 4096 - passphrase: - cipher: aes_256_cbc - backup: True @@ -39,7 +39,7 @@ pki_public_ca_crt: - keyUsage: "critical cRLSign, keyCertSign" - extendedkeyUsage: "serverAuth, clientAuth" - subjectKeyIdentifier: hash - - authorityKeyIdentifier: keyid,issuer:always + - authorityKeyIdentifier: keyid:always, issuer - days_valid: 3650 - days_remaining: 0 - backup: True diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index 4a521f12c..8d634abf2 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -52,7 +52,7 @@ influxdb_key: x509.private_key_managed: - name: /etc/pki/influxdb.key - CN: {{ GLOBALS.hostname }} - - bits: 4096 + - keysize: 4096 - days_remaining: 0 - days_valid: 820 - backup: True @@ -72,7 +72,7 @@ influxdb_crt: - name: /etc/pki/influxdb.crt - ca_server: {{ ca_server }} - signing_policy: influxdb - - public_key: /etc/pki/influxdb.key + - private_key: /etc/pki/influxdb.key - CN: {{ GLOBALS.hostname }} - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} - days_remaining: 0 @@ -102,7 +102,7 @@ redis_key: x509.private_key_managed: - name: /etc/pki/redis.key - CN: {{ GLOBALS.hostname }} - - bits: 4096 + - keysize: 4096 - days_remaining: 0 - days_valid: 820 - backup: True @@ -122,7 +122,7 @@ redis_crt: - ca_server: {{ ca_server }} - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} - signing_policy: registry - - public_key: /etc/pki/redis.key + - private_key: /etc/pki/redis.key - CN: {{ GLOBALS.hostname }} - days_remaining: 0 - days_valid: 820 @@ -151,7 +151,7 @@ etc_elasticfleet_key: x509.private_key_managed: - name: /etc/pki/elasticfleet.key - CN: {{ COMMONNAME }} - - bits: 4096 + - keysize: 4096 - days_remaining: 0 - days_valid: 820 - backup: True @@ -171,7 +171,7 @@ etc_elasticfleet_crt: - name: /etc/pki/elasticfleet.crt - ca_server: {{ ca_server }} - signing_policy: elasticfleet - - public_key: /etc/pki/elasticfleet.key + - private_key: /etc/pki/elasticfleet.key - CN: {{ GLOBALS.hostname }} - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} - days_remaining: 0 @@ -233,7 +233,7 @@ etc_filebeat_key: x509.private_key_managed: - name: /etc/pki/filebeat.key - CN: {{ COMMONNAME }} - - bits: 4096 + - keysize: 4096 - days_remaining: 0 - days_valid: 820 - backup: True @@ -253,7 +253,7 @@ etc_filebeat_crt: - name: /etc/pki/filebeat.crt - ca_server: {{ ca_server }} - signing_policy: filebeat - - public_key: /etc/pki/filebeat.key + - private_key: /etc/pki/filebeat.key - CN: {{ GLOBALS.hostname }} - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} - days_remaining: 0 @@ -314,7 +314,7 @@ registry_key: x509.private_key_managed: - name: /etc/pki/registry.key - CN: {{ GLOBALS.manager }} - - bits: 4096 + - keysize: 4096 - days_remaining: 0 - days_valid: 820 - backup: True @@ -335,7 +335,7 @@ registry_crt: - ca_server: {{ ca_server }} - subjectAltName: DNS:{{ GLOBALS.manager }}, IP:{{ GLOBALS.manager_ip }} - signing_policy: registry - - public_key: /etc/pki/registry.key + - private_key: /etc/pki/registry.key - CN: {{ GLOBALS.manager }} - days_remaining: 0 - days_valid: 820 @@ -362,7 +362,7 @@ regkeyperms: /etc/pki/elasticsearch.key: x509.private_key_managed: - CN: {{ COMMONNAME }} - - bits: 4096 + - keysize: 4096 - days_remaining: 0 - days_valid: 820 - backup: True @@ -380,7 +380,7 @@ regkeyperms: x509.certificate_managed: - ca_server: {{ ca_server }} - signing_policy: registry - - public_key: /etc/pki/elasticsearch.key + - private_key: /etc/pki/elasticsearch.key - CN: {{ GLOBALS.hostname }} - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} - days_remaining: 0 @@ -419,7 +419,7 @@ managerssl_key: x509.private_key_managed: - name: /etc/pki/managerssl.key - CN: {{ GLOBALS.manager }} - - bits: 4096 + - keysize: 4096 - days_remaining: 0 - days_valid: 820 - backup: True @@ -439,7 +439,7 @@ managerssl_crt: - name: /etc/pki/managerssl.crt - ca_server: {{ ca_server }} - signing_policy: managerssl - - public_key: /etc/pki/managerssl.key + - private_key: /etc/pki/managerssl.key - CN: {{ GLOBALS.hostname }} - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} - days_remaining: 0 @@ -477,7 +477,7 @@ conf_filebeat_key: x509.private_key_managed: - name: /opt/so/conf/filebeat/etc/pki/filebeat.key - CN: {{ COMMONNAME }} - - bits: 4096 + - keysize: 4096 - days_remaining: 0 - days_valid: 820 - backup: True @@ -497,7 +497,7 @@ conf_filebeat_crt: - name: /opt/so/conf/filebeat/etc/pki/filebeat.crt - ca_server: {{ ca_server }} - signing_policy: filebeat - - public_key: /opt/so/conf/filebeat/etc/pki/filebeat.key + - private_key: /opt/so/conf/filebeat/etc/pki/filebeat.key - CN: {{ GLOBALS.hostname }} - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} - days_remaining: 0 @@ -543,7 +543,7 @@ chownfilebeatp8: /etc/pki/elasticsearch.key: x509.private_key_managed: - CN: {{ GLOBALS.manager }} - - bits: 4096 + - keysize: 4096 - days_remaining: 0 - days_valid: 820 - backup: True @@ -561,7 +561,7 @@ chownfilebeatp8: x509.certificate_managed: - ca_server: {{ ca_server }} - signing_policy: registry - - public_key: /etc/pki/elasticsearch.key + - private_key: /etc/pki/elasticsearch.key - CN: {{ GLOBALS.hostname }} - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} - days_remaining: 0 diff --git a/setup/so-functions b/setup/so-functions index 70aefae1f..e97a04968 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -634,6 +634,8 @@ configure_minion() { printf '%s\n'\ "use_superseded:"\ " - module.run"\ + "features:"\ + " x509_v2: true"\ "log_level: info"\ "log_level_logfile: info"\ "log_file: /opt/so/log/salt/minion" >> "$minion_config"