From 6945596eee64b1855d1d8022b051ed010b48001b Mon Sep 17 00:00:00 2001
From: Josh Brower <Josh@Defensivedepth.com>
Date: Wed, 14 Sep 2022 08:10:42 -0400
Subject: [PATCH] Tweak elastic agent ssl gen

---
 salt/ca/files/signing_policies.conf | 5 ++---
 salt/ssl/init.sls                   | 4 ++--
 2 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/salt/ca/files/signing_policies.conf b/salt/ca/files/signing_policies.conf
index 1e05be006..cb57cc640 100644
--- a/salt/ca/files/signing_policies.conf
+++ b/salt/ca/files/signing_policies.conf
@@ -57,7 +57,7 @@ x509_signing_policies:
     - extendedKeyUsage: serverAuth
     - days_valid: 820
     - copypath: /etc/pki/issued_certs/
-  fleet:
+  elasticfleet:
     - minions: '*'
     - signing_private_key: /etc/pki/ca.key
     - signing_cert: /etc/pki/ca.crt
@@ -65,9 +65,8 @@ x509_signing_policies:
     - ST: Utah
     - L: Salt Lake City
     - basicConstraints: "critical CA:false"
-    - keyUsage: "critical keyEncipherment"
+    - keyUsage: "digitalSignature, nonRepudiation"
     - subjectKeyIdentifier: hash
     - authorityKeyIdentifier: keyid,issuer:always
-    - extendedKeyUsage: serverAuth
     - days_valid: 820
     - copypath: /etc/pki/issued_certs/
diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls
index 3be0e9711..7093ae912 100644
--- a/salt/ssl/init.sls
+++ b/salt/ssl/init.sls
@@ -176,7 +176,7 @@ etc_elasticfleet_crt:
   x509.certificate_managed:
     - name: /etc/pki/elasticfleet.crt
     - ca_server: {{ ca_server }}
-    - signing_policy: fleet
+    - signing_policy: elasticfleet
     - public_key: /etc/pki/elasticfleet.key
     - CN: {{ GLOBALS.hostname }}
     - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
@@ -214,7 +214,7 @@ chownilogstashelasticfleetp8:
     - group: 939
 
 # Create Symlinks to the keys so I can distribute it to all the things
-elasticfleetdir:
+elasticfleetdircerts:
   file.directory:
     - name: /opt/so/saltstack/local/salt/elastic-fleet/files/certs
     - makedirs: True