WIP

2026-01-12 11:11:22 +01:00 · 2026-01-07 14:03:19 -06:00
63 changed files with 1209 additions and 1415 deletions
--- a/2
+++ b/2
@@ -1 +1 @@
-2.4.210
+2.4.0-foxtrot
--- a/pillar/ca/init.sls
+++ b/pillar/ca/init.sls
@@ -1,2 +0,0 @@
-ca:
-  server:
--- a/pillar/top.sls
+++ b/pillar/top.sls
@@ -1,6 +1,5 @@
 base:
  '*':
-    - ca
    - global.soc_global
    - global.adv_global
    - docker.soc_docker
--- a/salt/allowed_states.map.jinja
+++ b/salt/allowed_states.map.jinja
@@ -15,7 +15,11 @@
    'salt.minion-check',
    'sensoroni',
    'salt.lasthighstate',
-    'salt.minion',
+    'salt.minion'
+] %}
+
+{% set ssl_states = [
+    'ssl',
    'telegraf',
    'firewall',
    'schedule',
@@ -24,7 +28,7 @@

 {% set manager_states = [
    'salt.master',
-    'ca.server',
+    'ca',
    'registry',
    'manager',
    'nginx',
@@ -71,23 +75,28 @@
    {# Map role-specific states #}
    {% set role_states = {
        'so-eval': (
+            ssl_states +
            manager_states +
            sensor_states +
            elastic_stack_states | reject('equalto', 'logstash') | list
        ),
        'so-heavynode': (
+            ssl_states +
            sensor_states +
            ['elasticagent', 'elasticsearch', 'logstash', 'redis', 'nginx']
        ),
        'so-idh': (
+            ssl_states +
            ['idh']
        ),
        'so-import': (
+            ssl_states +
            manager_states +
            sensor_states | reject('equalto', 'strelka') | reject('equalto', 'healthcheck') | list +
            ['elasticsearch', 'elasticsearch.auth', 'kibana', 'kibana.secrets', 'strelka.manager']
        ),
        'so-manager': (
+            ssl_states +
            manager_states +
            ['salt.cloud', 'libvirt.packages', 'libvirt.ssh.users', 'strelka.manager'] +
            stig_states +
@@ -95,6 +104,7 @@
            elastic_stack_states
        ),
        'so-managerhype': (
+            ssl_states +
            manager_states +
            ['salt.cloud', 'strelka.manager', 'hypervisor', 'libvirt'] +
            stig_states +
@@ -102,6 +112,7 @@
            elastic_stack_states
        ),
        'so-managersearch': (
+            ssl_states +
            manager_states +
            ['salt.cloud', 'libvirt.packages', 'libvirt.ssh.users', 'strelka.manager'] +
            stig_states +
@@ -109,10 +120,12 @@
            elastic_stack_states
        ),
        'so-searchnode': (
+            ssl_states +
            ['kafka.ca', 'kafka.ssl', 'elasticsearch', 'logstash', 'nginx'] +
            stig_states
        ),
        'so-standalone': (
+            ssl_states +
            manager_states +
            ['salt.cloud', 'libvirt.packages', 'libvirt.ssh.users'] +
            sensor_states +
@@ -121,24 +134,29 @@
            elastic_stack_states
        ),
        'so-sensor': (
+            ssl_states +
            sensor_states +
            ['nginx'] +
            stig_states
        ),
        'so-fleet': (
+            ssl_states +
            stig_states +
            ['logstash', 'nginx', 'healthcheck', 'elasticfleet']
        ),
        'so-receiver': (
+            ssl_states +
            kafka_states +
            stig_states +
            ['logstash', 'redis']
        ),
        'so-hypervisor': (
+            ssl_states +
            stig_states +
            ['hypervisor', 'libvirt']
        ),
        'so-desktop': (
+            ['ssl', 'docker_clean', 'telegraf'] +
            stig_states
        )
    } %}
--- a/salt/ca/dirs.sls
+++ b/salt/ca/dirs.sls
@@ -0,0 +1,4 @@
+pki_issued_certs:
+  file.directory:
+    - name: /etc/pki/issued_certs
+    - makedirs: True
--- a/salt/ca/files/signing_policies.conf
+++ b/salt/ca/files/signing_policies.conf
@@ -1,5 +1,5 @@
 x509_signing_policies:
-  general:
+  filebeat:
    - minions: '*'
    - signing_private_key: /etc/pki/ca.key
    - signing_cert: /etc/pki/ca.crt
@@ -12,3 +12,72 @@ x509_signing_policies:
    - authorityKeyIdentifier: keyid,issuer:always
    - days_valid: 820
    - copypath: /etc/pki/issued_certs/
+  registry:
+    - minions: '*'
+    - signing_private_key: /etc/pki/ca.key
+    - signing_cert: /etc/pki/ca.crt
+    - C: US
+    - ST: Utah
+    - L: Salt Lake City
+    - basicConstraints: "critical CA:false"
+    - keyUsage: "critical keyEncipherment"
+    - subjectKeyIdentifier: hash
+    - authorityKeyIdentifier: keyid,issuer:always
+    - extendedKeyUsage: serverAuth
+    - days_valid: 820
+    - copypath: /etc/pki/issued_certs/
+  managerssl:
+    - minions: '*'
+    - signing_private_key: /etc/pki/ca.key
+    - signing_cert: /etc/pki/ca.crt
+    - C: US
+    - ST: Utah
+    - L: Salt Lake City
+    - basicConstraints: "critical CA:false"
+    - keyUsage: "critical keyEncipherment digitalSignature"
+    - subjectKeyIdentifier: hash
+    - authorityKeyIdentifier: keyid,issuer:always
+    - extendedKeyUsage: serverAuth
+    - days_valid: 820
+    - copypath: /etc/pki/issued_certs/
+  influxdb:
+    - minions: '*'
+    - signing_private_key: /etc/pki/ca.key
+    - signing_cert: /etc/pki/ca.crt
+    - C: US
+    - ST: Utah
+    - L: Salt Lake City
+    - basicConstraints: "critical CA:false"
+    - keyUsage: "critical keyEncipherment"
+    - subjectKeyIdentifier: hash
+    - authorityKeyIdentifier: keyid,issuer:always
+    - extendedKeyUsage: serverAuth
+    - days_valid: 820
+    - copypath: /etc/pki/issued_certs/
+  elasticfleet:
+    - minions: '*'
+    - signing_private_key: /etc/pki/ca.key
+    - signing_cert: /etc/pki/ca.crt
+    - C: US
+    - ST: Utah
+    - L: Salt Lake City
+    - basicConstraints: "critical CA:false"
+    - keyUsage: "digitalSignature, nonRepudiation"
+    - subjectKeyIdentifier: hash
+    - authorityKeyIdentifier: keyid,issuer:always
+    - days_valid: 820
+    - copypath: /etc/pki/issued_certs/
+  kafka:
+    - minions: '*'
+    - signing_private_key: /etc/pki/ca.key
+    - signing_cert: /etc/pki/ca.crt
+    - C: US
+    - ST: Utah
+    - L: Salt Lake City
+    - basicConstraints: "critical CA:false"
+    - keyUsage: "digitalSignature, keyEncipherment"
+    - subjectKeyIdentifier: hash
+    - authorityKeyIdentifier: keyid,issuer:always
+    - extendedKeyUsage: "serverAuth, clientAuth"
+    - days_valid: 820
+    - copypath: /etc/pki/issued_certs/
--- a/salt/ca/init.sls
+++ b/salt/ca/init.sls
@@ -3,10 +3,70 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.

+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls in allowed_states %}
 {% from 'vars/globals.map.jinja' import GLOBALS %}

+
 include:
-{% if GLOBALS.is_manager %}
-  - ca.server
+  - ca.dirs
+
+/etc/salt/minion.d/signing_policies.conf:
+  file.managed:
+    - source: salt://ca/files/signing_policies.conf
+
+pki_private_key:
+  x509.private_key_managed:
+    - name: /etc/pki/ca.key
+    - keysize: 4096
+    - passphrase:
+    - backup: True
+    {% if salt['file.file_exists']('/etc/pki/ca.key') -%}
+    - prereq:
+      - x509: /etc/pki/ca.crt
+    {%- endif %}
+
+pki_public_ca_crt:
+  x509.certificate_managed:
+    - name: /etc/pki/ca.crt
+    - signing_private_key: /etc/pki/ca.key
+    - CN: {{ GLOBALS.manager }}
+    - C: US
+    - ST: Utah
+    - L: Salt Lake City
+    - basicConstraints: "critical CA:true"
+    - keyUsage: "critical cRLSign, keyCertSign"
+    - extendedkeyUsage: "serverAuth, clientAuth"
+    - subjectKeyIdentifier: hash
+    - authorityKeyIdentifier: keyid:always, issuer
+    - days_valid: 3650
+    - days_remaining: 0
+    - backup: True
+    - replace: False
+    - require:
+      - sls: ca.dirs
+    - timeout: 30
+    - retry:
+        attempts: 5
+        interval: 30
+
+mine_update_ca_crt:
+  module.run:
+    - mine.update: []
+    - onchanges:
+      - x509: pki_public_ca_crt
+
+cakeyperms:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/ca.key
+    - mode: 640
+    - group: 939
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
 {% endif %}
-  - ca.trustca
--- a/salt/ca/map.jinja
+++ b/salt/ca/map.jinja
@@ -1,3 +0,0 @@
-{% set CA = {
-    'server': pillar.ca.server
-}%}
--- a/salt/ca/remove.sls
+++ b/salt/ca/remove.sls
@@ -1,35 +1,7 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{% set setup_running = salt['cmd.retcode']('pgrep -x so-setup') == 0 %}
-
-{% if setup_running%}
-
-include:
-  - ssl.remove
-
-remove_pki_private_key:
+pki_private_key:
  file.absent:
    - name: /etc/pki/ca.key

-remove_pki_public_ca_crt:
+pki_public_ca_crt:
  file.absent:
    - name: /etc/pki/ca.crt
-
-remove_trusttheca:
-  file.absent:
-    - name: /etc/pki/tls/certs/intca.crt
-
-remove_pki_public_ca_crt_symlink:
-  file.absent:
-    - name: /opt/so/saltstack/local/salt/ca/files/ca.crt
-
-{% else %}
-
-so-setup_not_running:
-  test.show_notification:
-    - text: "This state is reserved for usage during so-setup."
-
-{% endif %}
--- a/salt/ca/server.sls
+++ b/salt/ca/server.sls
@@ -1,63 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{% from 'allowed_states.map.jinja' import allowed_states %}
-{% if sls in allowed_states %}
-{%   from 'vars/globals.map.jinja' import GLOBALS %}
-
-pki_private_key:
-  x509.private_key_managed:
-    - name: /etc/pki/ca.key
-    - keysize: 4096
-    - passphrase:
-    - backup: True
-    {% if salt['file.file_exists']('/etc/pki/ca.key') -%}
-    - prereq:
-      - x509: /etc/pki/ca.crt
-    {%- endif %}
-
-pki_public_ca_crt:
-  x509.certificate_managed:
-    - name: /etc/pki/ca.crt
-    - signing_private_key: /etc/pki/ca.key
-    - CN: {{ GLOBALS.manager }}
-    - C: US
-    - ST: Utah
-    - L: Salt Lake City
-    - basicConstraints: "critical CA:true"
-    - keyUsage: "critical cRLSign, keyCertSign"
-    - extendedkeyUsage: "serverAuth, clientAuth"
-    - subjectKeyIdentifier: hash
-    - authorityKeyIdentifier: keyid:always, issuer
-    - days_valid: 3650
-    - days_remaining: 7
-    - backup: True
-    - replace: False
-    - timeout: 30
-    - retry:
-        attempts: 5
-        interval: 30
-
-pki_public_ca_crt_symlink:
-  file.symlink:
-    - name: /opt/so/saltstack/local/salt/ca/files/ca.crt
-    - target: /etc/pki/ca.crt
-    - require:
-      - x509: pki_public_ca_crt
-
-cakeyperms:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/ca.key
-    - mode: 640
-    - group: 939
-
-{% else %}
-
-{{sls}}_state_not_allowed:
-  test.fail_without_changes:
-    - name: {{sls}}_state_not_allowed
-
-{% endif %}
--- a/salt/ca/signing_policy.sls
+++ b/salt/ca/signing_policy.sls
@@ -1,15 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-# when the salt-minion signs the cert, a copy is stored here
-issued_certs_copypath:
-  file.directory:
-    - name: /etc/pki/issued_certs
-    - makedirs: True
-
-signing_policy:
-  file.managed:
-    - name: /etc/salt/minion.d/signing_policies.conf
-    - source: salt://ca/files/signing_policies.conf
--- a/salt/ca/trustca.sls
+++ b/salt/ca/trustca.sls
@@ -1,30 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{% from 'vars/globals.map.jinja' import GLOBALS %}
-
-include:
-  - docker
-
-cacertdir:
-  file.directory:
-    - name: /etc/pki/tls/certs
-    - makedirs: True
-
-# Trust the CA
-trusttheca:
-  file.managed:
-    - name: /etc/pki/tls/certs/intca.crt
-    - source: salt://ca/files/ca.crt
-    - watch_in:
-      - service: docker_running
-    - show_changes: False
-
-{% if GLOBALS.os_family == 'Debian' %}
-symlinkca:
-  file.symlink:
-    - target: /etc/pki/tls/certs/intca.crt
-    - name: /etc/ssl/certs/intca.crt
-{% endif %}
--- a/salt/common/init.sls
+++ b/salt/common/init.sls
@@ -177,7 +177,7 @@ so-status_script:
    - source: salt://common/tools/sbin/so-status
    - mode: 755

-{% if GLOBALS.is_sensor %}
+{% if GLOBALS.role in GLOBALS.sensor_roles %}
 # Add sensor cleanup
 so-sensor-clean:
  cron.present:
--- a/salt/common/tools/sbin/so-common
+++ b/salt/common/tools/sbin/so-common
@@ -554,36 +554,21 @@ run_check_net_err() {
 }

 wait_for_salt_minion() {
-    local minion="$1"
-    local max_wait="${2:-30}"
-    local interval="${3:-2}"
-    local logfile="${4:-'/dev/stdout'}"
-    local elapsed=0
-
-	echo "$(date '+%a %d %b %Y %H:%M:%S.%6N') - Waiting for salt-minion '$minion' to be ready..." | tee -a "$logfile"
-
-    while [ $elapsed -lt $max_wait ]; do
-        # Check if service is running
-        if ! systemctl is-active --quiet salt-minion; then
-            echo "$(date '+%a %d %b %Y %H:%M:%S.%6N') - salt-minion service not running (elapsed: ${elapsed}s)" | tee -a "$logfile"
-            sleep $interval
-            elapsed=$((elapsed + interval))
-            continue
-        fi
-        
-        # Check if minion responds to ping
-        if salt "$minion" test.ping --timeout=3 --out=json 2>> "$logfile" | grep -q "true"; then
-            echo "$(date '+%a %d %b %Y %H:%M:%S.%6N') - salt-minion '$minion' is connected and ready!" | tee -a "$logfile"
-            return 0
-        fi
-        
-        echo "$(date '+%a %d %b %Y %H:%M:%S.%6N') - Waiting... (${elapsed}s / ${max_wait}s)" | tee -a "$logfile"
-        sleep $interval
-        elapsed=$((elapsed + interval))
-    done
-
-    echo "$(date '+%a %d %b %Y %H:%M:%S.%6N') - ERROR: salt-minion '$minion' not ready after $max_wait seconds" | tee -a "$logfile"
-    return 1
+	local minion="$1"
+	local timeout="${2:-5}"
+	local logfile="${3:-'/dev/stdout'}"
+	retry 60 5 "journalctl -u salt-minion.service | grep 'Minion is ready to receive requests'" >> "$logfile" 2>&1 || fail
+	local attempt=0
+	# each attempts would take about 15 seconds
+	local maxAttempts=20
+	until check_salt_minion_status "$minion" "$timeout" "$logfile"; do
+		attempt=$((attempt+1))
+		if [[ $attempt -eq $maxAttempts ]]; then
+			return 1
+		fi
+		sleep 10
+	done
+	return 0
 }

 salt_minion_count() {
--- a/salt/desktop/trusted-ca.sls
+++ b/salt/desktop/trusted-ca.sls
@@ -3,16 +3,29 @@
 {# we only want this state to run it is CentOS #}
 {% if GLOBALS.os == 'OEL' %}

+  {% set global_ca_text = [] %}
+  {% set global_ca_server = [] %}
+  {% set manager = GLOBALS.manager %}
+  {% set x509dict = salt['mine.get'](manager | lower~'*', 'x509.get_pem_entries') %}
+    {% for host in x509dict %}
+      {% if host.split('_')|last in ['manager', 'managersearch', 'standalone', 'import', 'eval'] %}
+        {% do global_ca_text.append(x509dict[host].get('/etc/pki/ca.crt')|replace('\n', '')) %}
+        {% do global_ca_server.append(host) %}
+      {% endif %}
+    {% endfor %}
+  {% set trusttheca_text = global_ca_text[0] %}
+  {% set ca_server = global_ca_server[0] %}
+
 trusted_ca:
-  file.managed:
+  x509.pem_managed:
    - name: /etc/pki/ca-trust/source/anchors/ca.crt
-    - source: salt://ca/files/ca.crt
+    - text:  {{ trusttheca_text }}

 update_ca_certs:
  cmd.run:
    - name: update-ca-trust
    - onchanges:
-      - file: trusted_ca
+      - x509: trusted_ca

 {% else %}

--- a/salt/docker/init.sls
+++ b/salt/docker/init.sls
@@ -6,9 +6,9 @@
 {% from 'docker/docker.map.jinja' import DOCKER %}
 {% from 'vars/globals.map.jinja' import GLOBALS %}

-# docker service requires the ca.crt
+# include ssl since docker service requires the intca
 include:
-  - ca
+  - ssl

 dockergroup:
  group.present:
@@ -89,9 +89,10 @@ docker_running:
    - enable: True
    - watch:
      - file: docker_daemon
+      - x509: trusttheca
    - require:
      - file: docker_daemon
-      - file: trusttheca
+      - x509: trusttheca


 # Reserve OS ports for Docker proxy in case boot settings are not already applied/present
--- a/salt/elasticagent/enabled.sls
+++ b/salt/elasticagent/enabled.sls
@@ -9,7 +9,6 @@
 {%   from 'docker/docker.map.jinja' import DOCKER %}

 include:
-  - ca
  - elasticagent.config
  - elasticagent.sostatus

@@ -56,10 +55,8 @@ so-elastic-agent:
      {% endif %}
    - require:
      - file: create-elastic-agent-config
-      - file: trusttheca
    - watch:
      - file: create-elastic-agent-config
-      - file: trusttheca

 delete_so-elastic-agent_so-status.disabled:
  file.uncomment:
--- a/salt/elasticfleet/enabled.sls
+++ b/salt/elasticfleet/enabled.sls
@@ -13,11 +13,9 @@
 {%   set SERVICETOKEN = salt['pillar.get']('elasticfleet:config:server:es_token','') %}

 include:
-  - ca
-  - logstash.ssl
-  - elasticfleet.ssl
  - elasticfleet.config
  - elasticfleet.sostatus
+  - ssl

 {% if grains.role not in ['so-fleet'] %}
 # Wait for Elasticsearch to be ready - no reason to try running Elastic Fleet server if ES is not ready
@@ -135,11 +133,6 @@ so-elastic-fleet:
        {% endfor %}
      {% endif %}
    - watch:
-      - file: trusttheca
-      - x509: etc_elasticfleet_key
-      - x509: etc_elasticfleet_crt
-    - require:
-      - file: trusttheca
      - x509: etc_elasticfleet_key
      - x509: etc_elasticfleet_crt
 {%   endif %}
--- a/salt/elasticfleet/ssl.sls
+++ b/salt/elasticfleet/ssl.sls
@@ -1,186 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{% from 'allowed_states.map.jinja' import allowed_states %}
-{% if sls.split('.')[0] in allowed_states %}
-{%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'elasticfleet/map.jinja' import ELASTICFLEETMERGED %}
-{%   from 'ca/map.jinja' import CA %}
-
-{% if GLOBALS.is_manager or GLOBALS.role in ['so-heavynode', 'so-fleet', 'so-receiver'] %}
-
-{% if grains['role'] not in [ 'so-heavynode', 'so-receiver'] %}
-# Start -- Elastic Fleet Host Cert
-etc_elasticfleet_key:
-  x509.private_key_managed:
-    - name: /etc/pki/elasticfleet-server.key
-    - keysize: 4096
-    - backup: True
-    - new: True
-    {% if salt['file.file_exists']('/etc/pki/elasticfleet-server.key') -%}
-    - prereq:
-      - x509: etc_elasticfleet_crt
-    {%- endif %}
-    - retry:
-        attempts: 5
-        interval: 30
-
-etc_elasticfleet_crt:
-  x509.certificate_managed:
-    - name: /etc/pki/elasticfleet-server.crt
-    - ca_server: {{ CA.server }}
-    - signing_policy: general
-    - private_key: /etc/pki/elasticfleet-server.key
-    - CN: {{ GLOBALS.hostname }}
-    - subjectAltName: DNS:{{ GLOBALS.hostname }},DNS:{{ GLOBALS.url_base }},IP:{{ GLOBALS.node_ip }}{% if ELASTICFLEETMERGED.config.server.custom_fqdn | length > 0 %},DNS:{{ ELASTICFLEETMERGED.config.server.custom_fqdn | join(',DNS:') }}{% endif %}
-    - days_remaining: 7
-    - days_valid: 820
-    - backup: True
-    - timeout: 30
-    - retry:
-        attempts: 5
-        interval: 30
-
-efperms:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/elasticfleet-server.key
-    - mode: 640
-    - group: 939
-
-chownelasticfleetcrt:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/elasticfleet-server.crt
-    - mode: 640
-    - user: 947
-    - group: 939
-
-chownelasticfleetkey:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/elasticfleet-server.key
-    - mode: 640
-    - user: 947
-    - group: 939
-# End -- Elastic Fleet Host Cert
-{% endif %} # endif is for not including HeavyNodes & Receivers 
-
-
-# Start -- Elastic Fleet Client Cert for Agent (Mutual Auth with Logstash Output)
-etc_elasticfleet_agent_key:
-  x509.private_key_managed:
-    - name: /etc/pki/elasticfleet-agent.key
-    - keysize: 4096
-    - backup: True
-    - new: True
-    {% if salt['file.file_exists']('/etc/pki/elasticfleet-agent.key') -%}
-    - prereq:
-      - x509: etc_elasticfleet_agent_crt
-    {%- endif %}
-    - retry:
-        attempts: 5
-        interval: 30
-
-etc_elasticfleet_agent_crt:
-  x509.certificate_managed:
-    - name: /etc/pki/elasticfleet-agent.crt
-    - ca_server: {{ CA.server }}
-    - signing_policy: general
-    - private_key: /etc/pki/elasticfleet-agent.key
-    - CN: {{ GLOBALS.hostname }}
-    - days_remaining: 7
-    - days_valid: 820
-    - backup: True
-    - timeout: 30
-    - retry:
-        attempts: 5
-        interval: 30
-  cmd.run:
-    - name: "/usr/bin/openssl pkcs8 -in /etc/pki/elasticfleet-agent.key -topk8 -out /etc/pki/elasticfleet-agent.p8 -nocrypt"
-    - onchanges:
-      - x509: etc_elasticfleet_agent_key
-
-efagentperms:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/elasticfleet-agent.key
-    - mode: 640
-    - group: 939
-
-chownelasticfleetagentcrt:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/elasticfleet-agent.crt
-    - mode: 640
-    - user: 947
-    - group: 939
-
-chownelasticfleetagentkey:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/elasticfleet-agent.key
-    - mode: 640
-    - user: 947
-    - group: 939
-# End -- Elastic Fleet Client Cert for Agent (Mutual Auth with Logstash Output)
-
-{% endif %}
-
-{% if GLOBALS.role in ['so-manager', 'so-managerhype', 'so-managersearch', 'so-standalone'] %}
-elasticfleet_kafka_key:
-  x509.private_key_managed:
-    - name: /etc/pki/elasticfleet-kafka.key
-    - keysize: 4096
-    - backup: True
-    - new: True
-    {% if salt['file.file_exists']('/etc/pki/elasticfleet-kafka.key') -%}
-    - prereq:
-      - x509: elasticfleet_kafka_crt
-    {%- endif %}
-    - retry:
-        attempts: 5
-        interval: 30
-
-elasticfleet_kafka_crt:
-  x509.certificate_managed:
-    - name: /etc/pki/elasticfleet-kafka.crt
-    - ca_server: {{ CA.server }}
-    - signing_policy: general
-    - private_key: /etc/pki/elasticfleet-kafka.key
-    - CN: {{ GLOBALS.hostname }}
-    - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
-    - days_remaining: 7
-    - days_valid: 820
-    - backup: True
-    - timeout: 30
-    - retry:
-        attempts: 5
-        interval: 30
-
-elasticfleet_kafka_cert_perms:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/elasticfleet-kafka.crt
-    - mode: 640
-    - user: 947
-    - group: 939
-
-elasticfleet_kafka_key_perms:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/elasticfleet-kafka.key
-    - mode: 640
-    - user: 947
-    - group: 939
-{% endif %}
-
-{% else %}
-
-{{sls}}_state_not_allowed:
-  test.fail_without_changes:
-    - name: {{sls}}_state_not_allowed
-
-{% endif %}
--- a/salt/elasticsearch/ca.sls
+++ b/salt/elasticsearch/ca.sls
@@ -26,14 +26,14 @@ catrustscript:
        GLOBALS: {{ GLOBALS }}
 {%   endif %}

-elasticsearch_cacerts:
+cacertz:
  file.managed:
    - name: /opt/so/conf/ca/cacerts
    - source: salt://elasticsearch/cacerts
    - user: 939
    - group: 939

-elasticsearch_capems:
+capemz:
  file.managed:
    - name: /opt/so/conf/ca/tls-ca-bundle.pem
    - source: salt://elasticsearch/tls-ca-bundle.pem
--- a/salt/elasticsearch/config.sls
+++ b/salt/elasticsearch/config.sls
@@ -5,6 +5,11 @@

 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
+
+include:
+  - ssl
+  - elasticsearch.ca
+
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 {%   from 'elasticsearch/config.map.jinja' import ELASTICSEARCHMERGED %}

--- a/salt/elasticsearch/enabled.sls
+++ b/salt/elasticsearch/enabled.sls
@@ -14,9 +14,6 @@
 {%   from 'elasticsearch/template.map.jinja' import ES_INDEX_SETTINGS %}

 include:
-  - ca
-  - elasticsearch.ca
-  - elasticsearch.ssl
  - elasticsearch.config
  - elasticsearch.sostatus

@@ -64,7 +61,11 @@ so-elasticsearch:
      - /nsm/elasticsearch:/usr/share/elasticsearch/data:rw
      - /opt/so/log/elasticsearch:/var/log/elasticsearch:rw
      - /opt/so/conf/ca/cacerts:/usr/share/elasticsearch/jdk/lib/security/cacerts:ro
+      {% if GLOBALS.is_manager %}
+      - /etc/pki/ca.crt:/usr/share/elasticsearch/config/ca.crt:ro
+      {% else %}
      - /etc/pki/tls/certs/intca.crt:/usr/share/elasticsearch/config/ca.crt:ro
+      {% endif %}
      - /etc/pki/elasticsearch.crt:/usr/share/elasticsearch/config/elasticsearch.crt:ro
      - /etc/pki/elasticsearch.key:/usr/share/elasticsearch/config/elasticsearch.key:ro
      - /etc/pki/elasticsearch.p12:/usr/share/elasticsearch/config/elasticsearch.p12:ro
@@ -81,21 +82,22 @@ so-elasticsearch:
        {% endfor %}
      {% endif %}
    - watch:
-      - file: trusttheca
-      - x509: elasticsearch_crt
-      - x509: elasticsearch_key
-      - file: elasticsearch_cacerts
+      - file: cacertz
      - file: esyml
    - require:
-      - file: trusttheca
-      - x509: elasticsearch_crt
-      - x509: elasticsearch_key
-      - file: elasticsearch_cacerts
      - file: esyml
      - file: eslog4jfile
      - file: nsmesdir
      - file: eslogdir
+      - file: cacertz
+      - x509: /etc/pki/elasticsearch.crt
+      - x509: /etc/pki/elasticsearch.key
      - file: elasticp12perms
+      {% if GLOBALS.is_manager %}
+      - x509: pki_public_ca_crt
+      {% else %}
+      - x509: trusttheca
+      {% endif %}
      - cmd: auth_users_roles_inode
      - cmd: auth_users_inode

--- a/salt/elasticsearch/ssl.sls
+++ b/salt/elasticsearch/ssl.sls
@@ -1,66 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{% from 'allowed_states.map.jinja' import allowed_states %}
-{% if sls.split('.')[0] in allowed_states %}
-{%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'ca/map.jinja' import CA %}
-
-# Create a cert for elasticsearch
-elasticsearch_key:
-  x509.private_key_managed:
-    - name: /etc/pki/elasticsearch.key
-    - keysize: 4096
-    - backup: True
-    - new: True
-    {% if salt['file.file_exists']('/etc/pki/elasticsearch.key') -%}
-    - prereq:
-      - x509: /etc/pki/elasticsearch.crt
-    {%- endif %}
-    - retry:
-        attempts: 5
-        interval: 30
-
-elasticsearch_crt:
-  x509.certificate_managed:
-    - name: /etc/pki/elasticsearch.crt
-    - ca_server: {{ CA.server }}
-    - signing_policy: general
-    - private_key: /etc/pki/elasticsearch.key
-    - CN: {{ GLOBALS.hostname }}
-    - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
-    - days_remaining: 7
-    - days_valid: 820
-    - backup: True
-    - timeout: 30
-    - retry:
-        attempts: 5
-        interval: 30
-  cmd.run:
-    - name: "/usr/bin/openssl pkcs12 -inkey /etc/pki/elasticsearch.key -in /etc/pki/elasticsearch.crt -export -out /etc/pki/elasticsearch.p12 -nodes -passout pass:"
-    - onchanges:
-      - x509: /etc/pki/elasticsearch.key
-
-elastickeyperms:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/elasticsearch.key
-    - mode: 640
-    - group: 930
-    
-elasticp12perms:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/elasticsearch.p12
-    - mode: 640
-    - group: 930
-
-{% else %}
-
-{{sls}}_state_not_allowed:
-  test.fail_without_changes:
-    - name: {{sls}}_state_not_allowed
-
-{% endif %}
--- a/salt/elasticsearch/tools/sbin_jinja/so-elasticsearch-templates-load
+++ b/salt/elasticsearch/tools/sbin_jinja/so-elasticsearch-templates-load
@@ -121,7 +121,7 @@ if [ ! -f $STATE_FILE_SUCCESS ]; then
    echo "Loading Security Onion index templates..."
    shopt -s extglob
    {% if GLOBALS.role == 'so-heavynode' %}
-    pattern="!(*1password*|*aws*|*azure*|*cloudflare*|*elastic_agent*|*fim*|*github*|*google*|*osquery*|*system*|*windows*|*endpoint*|*elasticsearch*|*generic*|*fleet_server*|*soc*)"
+    pattern="!(*1password*|*aws*|*azure*|*cloudflare*|*elastic_agent*|*fim*|*github*|*google*|*osquery*|*system*|*windows*)"
    {% else %}
    pattern="*"
    {% endif %}
--- a/salt/influxdb/config.sls
+++ b/salt/influxdb/config.sls
@@ -9,6 +9,7 @@

 include:
  - salt.minion
+  - ssl
  
 # Influx DB
 influxconfdir:
--- a/salt/influxdb/enabled.sls
+++ b/salt/influxdb/enabled.sls
@@ -11,7 +11,6 @@
 {%   set TOKEN = salt['pillar.get']('influxdb:token') %}

 include:
-  - influxdb.ssl
  - influxdb.config
  - influxdb.sostatus

@@ -60,8 +59,6 @@ so-influxdb:
    {% endif %}
    - watch:
      - file: influxdbconf
-      - x509: influxdb_key
-      - x509: influxdb_crt
    - require:
      - file: influxdbconf
      - x509: influxdb_key
--- a/salt/influxdb/ssl.sls
+++ b/salt/influxdb/ssl.sls
@@ -1,55 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{% from 'allowed_states.map.jinja' import allowed_states %}
-{% if sls.split('.')[0] in allowed_states %}
-{%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'ca/map.jinja' import CA %}
-
-influxdb_key:
-  x509.private_key_managed:
-    - name: /etc/pki/influxdb.key
-    - keysize: 4096
-    - backup: True
-    - new: True
-    {% if salt['file.file_exists']('/etc/pki/influxdb.key') -%}
-    - prereq:
-      - x509: /etc/pki/influxdb.crt
-    {%- endif %}
-    - retry:
-        attempts: 5
-        interval: 30
-
-# Create a cert for the talking to influxdb
-influxdb_crt:
-  x509.certificate_managed:
-    - name: /etc/pki/influxdb.crt
-    - ca_server: {{ CA.server }}
-    - signing_policy: general
-    - private_key: /etc/pki/influxdb.key
-    - CN: {{ GLOBALS.hostname }}
-    - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} 
-    - days_remaining: 7
-    - days_valid: 820
-    - backup: True
-    - timeout: 30
-    - retry:
-        attempts: 5
-        interval: 30
-
-influxkeyperms:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/influxdb.key
-    - mode: 640
-    - group: 939
-
-{% else %}
-
-{{sls}}_state_not_allowed:
-  test.fail_without_changes:
-    - name: {{sls}}_state_not_allowed
-
-{% endif %}
--- a/salt/kafka/enabled.sls
+++ b/salt/kafka/enabled.sls
@@ -68,8 +68,6 @@ so-kafka:
      - file: kafka_server_jaas_properties
      {% endif %}
      - file: kafkacertz
-      - x509: kafka_client_crt
-      - file: kafka_pkcs12_perms
    - require:
      - file: kafkacertz

@@ -97,4 +95,4 @@ include:
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed

-{% endif %}
+{% endif %}
--- a/salt/kafka/ssl.sls
+++ b/salt/kafka/ssl.sls
@@ -6,11 +6,18 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states or sls in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'ca/map.jinja' import CA %}
 {%   set kafka_password = salt['pillar.get']('kafka:config:password') %}

 include:
-  - ca
+  - ca.dirs
+    {% set global_ca_server = [] %}
+    {% set x509dict = salt['mine.get'](GLOBALS.manager | lower~'*', 'x509.get_pem_entries') %}
+    {% for host in x509dict %}
+      {% if 'manager' in host.split('_')|last or host.split('_')|last == 'standalone' %}
+        {% do global_ca_server.append(host) %}
+      {% endif %}
+    {% endfor %}
+    {% set ca_server = global_ca_server[0] %}

 {% if GLOBALS.pipeline == "KAFKA" %}

@@ -32,12 +39,12 @@ kafka_client_key:
 kafka_client_crt:
  x509.certificate_managed:
    - name: /etc/pki/kafka-client.crt
-    - ca_server: {{ CA.server }}
+    - ca_server: {{ ca_server }}
    - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
-    - signing_policy: general
+    - signing_policy: kafka
    - private_key: /etc/pki/kafka-client.key
    - CN: {{ GLOBALS.hostname }}
-    - days_remaining: 7
+    - days_remaining: 0
    - days_valid: 820
    - backup: True
    - timeout: 30
@@ -80,12 +87,12 @@ kafka_key:
 kafka_crt:
  x509.certificate_managed:
    - name: /etc/pki/kafka.crt
-    - ca_server: {{ CA.server }}
+    - ca_server: {{ ca_server }}
    - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
-    - signing_policy: general
+    - signing_policy: kafka
    - private_key: /etc/pki/kafka.key
    - CN: {{ GLOBALS.hostname }}
-    - days_remaining: 7
+    - days_remaining: 0
    - days_valid: 820
    - backup: True
    - timeout: 30
@@ -96,7 +103,6 @@ kafka_crt:
    - name: "/usr/bin/openssl pkcs12 -inkey /etc/pki/kafka.key -in /etc/pki/kafka.crt -export -out /etc/pki/kafka.p12 -nodes -passout pass:{{ kafka_password }}"
    - onchanges:
      - x509: /etc/pki/kafka.key
-
 kafka_key_perms:
  file.managed:
    - replace: False
@@ -142,12 +148,12 @@ kafka_logstash_key:
 kafka_logstash_crt:
  x509.certificate_managed:
    - name: /etc/pki/kafka-logstash.crt
-    - ca_server: {{ CA.server }}
+    - ca_server: {{ ca_server }}
    - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
-    - signing_policy: general
+    - signing_policy: kafka
    - private_key: /etc/pki/kafka-logstash.key
    - CN: {{ GLOBALS.hostname }}
-    - days_remaining: 7
+    - days_remaining: 0
    - days_valid: 820
    - backup: True
    - timeout: 30
@@ -192,4 +198,4 @@ kafka_logstash_pkcs12_perms:
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed

-{% endif %}
+{% endif %}
--- a/salt/logstash/config.sls
+++ b/salt/logstash/config.sls
@@ -11,6 +11,7 @@
 {%   set ASSIGNED_PIPELINES = LOGSTASH_MERGED.assigned_pipelines.roles[GLOBALS.role.split('-')[1]] %}

 include:
+  - ssl
  {% if GLOBALS.role not in ['so-receiver','so-fleet'] %}
  - elasticsearch
  {% endif %}
--- a/salt/logstash/enabled.sls
+++ b/salt/logstash/enabled.sls
@@ -12,7 +12,6 @@
 {%   set lsheap = LOGSTASH_MERGED.settings.lsheap %}

 include:
-  - ca
 {%   if GLOBALS.role not in ['so-receiver','so-fleet'] %}
  - elasticsearch.ca
 {%   endif %}
@@ -21,9 +20,9 @@ include:
  - kafka.ca
  - kafka.ssl
 {%   endif %}
-  - logstash.ssl
  - logstash.config
  - logstash.sostatus
+  - ssl

 so-logstash:
  docker_container.running:
@@ -66,18 +65,22 @@ so-logstash:
      - /opt/so/log/logstash:/var/log/logstash:rw
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
      - /opt/so/conf/logstash/etc/certs:/usr/share/logstash/certs:ro
-      - /etc/pki/tls/certs/intca.crt:/usr/share/filebeat/ca.crt:ro
+      {% if GLOBALS.role in ['so-manager', 'so-managerhype', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode', 'so-receiver'] %}
+      - /etc/pki/filebeat.crt:/usr/share/logstash/filebeat.crt:ro
+      - /etc/pki/filebeat.p8:/usr/share/logstash/filebeat.key:ro
+      {% endif %}
      {% if GLOBALS.is_manager or GLOBALS.role in ['so-fleet', 'so-heavynode', 'so-receiver'] %}
      - /etc/pki/elasticfleet-logstash.crt:/usr/share/logstash/elasticfleet-logstash.crt:ro
      - /etc/pki/elasticfleet-logstash.key:/usr/share/logstash/elasticfleet-logstash.key:ro
      - /etc/pki/elasticfleet-lumberjack.crt:/usr/share/logstash/elasticfleet-lumberjack.crt:ro
      - /etc/pki/elasticfleet-lumberjack.key:/usr/share/logstash/elasticfleet-lumberjack.key:ro
-          {% if GLOBALS.role != 'so-fleet' %}
-      - /etc/pki/filebeat.crt:/usr/share/logstash/filebeat.crt:ro
-      - /etc/pki/filebeat.p8:/usr/share/logstash/filebeat.key:ro
-          {% endif %}
      {% endif %}
-      {% if GLOBALS.role not in ['so-receiver','so-fleet'] %}
+      {% if GLOBALS.role in ['so-manager', 'so-managerhype', 'so-managersearch', 'so-standalone', 'so-import'] %}
+      - /etc/pki/ca.crt:/usr/share/filebeat/ca.crt:ro
+      {% else %}
+      - /etc/pki/tls/certs/intca.crt:/usr/share/filebeat/ca.crt:ro
+      {% endif %}
+      {% if GLOBALS.role in ['so-manager', 'so-managerhype', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode', 'so-searchnode' ] %}
      - /opt/so/conf/ca/cacerts:/etc/pki/ca-trust/extracted/java/cacerts:ro
      - /opt/so/conf/ca/tls-ca-bundle.pem:/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem:ro
      {% endif %}
@@ -97,22 +100,11 @@ so-logstash:
        {% endfor %}
      {% endif %}
    - watch:
-      - file: lsetcsync
-      - file: trusttheca
-      {% if GLOBALS.is_manager %}
-      - file: elasticsearch_cacerts
-      - file: elasticsearch_capems
-      {% endif %}
-      {% if GLOBALS.is_manager or GLOBALS.role in ['so-fleet', 'so-heavynode', 'so-receiver'] %}
-      - x509: etc_elasticfleet_logstash_crt
+      {% if GLOBALS.is_manager or GLOBALS.role in ['so-fleet', 'so-receiver'] %}
      - x509: etc_elasticfleet_logstash_key
-      - x509: etc_elasticfleetlumberjack_crt
-      - x509: etc_elasticfleetlumberjack_key
-        {% if GLOBALS.role != 'so-fleet' %}
-      - x509: etc_filebeat_crt
-      - file: logstash_filebeat_p8
-        {% endif %}
+      - x509: etc_elasticfleet_logstash_crt
      {% endif %}
+      - file: lsetcsync
      {% for assigned_pipeline in LOGSTASH_MERGED.assigned_pipelines.roles[GLOBALS.role.split('-')[1]] %}
      - file: ls_pipeline_{{assigned_pipeline}}
        {% for CONFIGFILE in LOGSTASH_MERGED.defined_pipelines[assigned_pipeline] %}
@@ -123,20 +115,17 @@ so-logstash:
      - file: kafkacertz
      {% endif %}
    - require:
-      - file: trusttheca
-      {% if GLOBALS.is_manager %}
-      - file: elasticsearch_cacerts
-      - file: elasticsearch_capems
-      {% endif %}
-      {% if GLOBALS.is_manager or GLOBALS.role in ['so-fleet', 'so-heavynode', 'so-receiver'] %}
-      - x509: etc_elasticfleet_logstash_crt
-      - x509: etc_elasticfleet_logstash_key
-      - x509: etc_elasticfleetlumberjack_crt
-      - x509: etc_elasticfleetlumberjack_key
-        {% if GLOBALS.role != 'so-fleet' %}
+      {% if grains['role'] in ['so-manager', 'so-managerhype', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode', 'so-receiver'] %}
      - x509: etc_filebeat_crt
-      - file: logstash_filebeat_p8
-        {% endif %}
+      {% endif %}
+      {% if grains['role'] in ['so-manager', 'so-managerhype', 'so-managersearch', 'so-standalone', 'so-import'] %}
+      - x509: pki_public_ca_crt
+      {% else %}
+      - x509: trusttheca
+      {% endif %}
+      {% if grains.role in ['so-manager', 'so-managerhype', 'so-managersearch', 'so-standalone', 'so-import'] %}
+      - file: cacertz
+      - file: capemz
      {% endif %}
      {% if GLOBALS.pipeline == 'KAFKA' and GLOBALS.role in ['so-manager', 'so-managerhype', 'so-managersearch', 'so-standalone', 'so-searchnode'] %}
      - file: kafkacertz
--- a/salt/logstash/ssl.sls
+++ b/salt/logstash/ssl.sls
@@ -1,287 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{% from 'allowed_states.map.jinja' import allowed_states %}
-{% if sls.split('.')[0] in allowed_states %}
-{%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'elasticfleet/map.jinja' import ELASTICFLEETMERGED %}
-{%   from 'ca/map.jinja' import CA %}
-
-{%   if GLOBALS.is_manager or GLOBALS.role in ['so-heavynode', 'so-fleet', 'so-receiver'] %}
-
-{%     if grains['role'] not in [ 'so-heavynode'] %}
-# Start -- Elastic Fleet Logstash Input Cert
-etc_elasticfleet_logstash_key:
-  x509.private_key_managed:
-    - name: /etc/pki/elasticfleet-logstash.key
-    - keysize: 4096
-    - backup: True
-    - new: True
-    {% if salt['file.file_exists']('/etc/pki/elasticfleet-logstash.key') -%}
-    - prereq:
-      - x509: etc_elasticfleet_logstash_crt
-    {%- endif %}
-    - retry:
-        attempts: 5
-        interval: 30
-
-etc_elasticfleet_logstash_crt:
-  x509.certificate_managed:
-    - name: /etc/pki/elasticfleet-logstash.crt
-    - ca_server: {{ CA.server }}
-    - signing_policy: general
-    - private_key: /etc/pki/elasticfleet-logstash.key
-    - CN: {{ GLOBALS.hostname }}
-    - subjectAltName: DNS:{{ GLOBALS.hostname }},DNS:{{ GLOBALS.url_base }},IP:{{ GLOBALS.node_ip }}{% if ELASTICFLEETMERGED.config.server.custom_fqdn | length > 0 %},DNS:{{ ELASTICFLEETMERGED.config.server.custom_fqdn | join(',DNS:') }}{% endif %}
-    - days_remaining: 7
-    - days_valid: 820
-    - backup: True
-    - timeout: 30
-    - retry:
-        attempts: 5
-        interval: 30
-  cmd.run:
-    - name: "/usr/bin/openssl pkcs8 -in /etc/pki/elasticfleet-logstash.key -topk8 -out /etc/pki/elasticfleet-logstash.p8 -nocrypt"
-    - onchanges:
-      - x509: etc_elasticfleet_logstash_key
-
-eflogstashperms:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/elasticfleet-logstash.key
-    - mode: 640
-    - group: 939
-
-chownelasticfleetlogstashcrt:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/elasticfleet-logstash.crt
-    - mode: 640
-    - user: 931
-    - group: 939
-
-chownelasticfleetlogstashkey:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/elasticfleet-logstash.key
-    - mode: 640
-    - user: 931
-    - group: 939
-# End -- Elastic Fleet Logstash Input Cert
-{%     endif %} # endif is for not including HeavyNodes 
-
-# Start -- Elastic Fleet Node - Logstash Lumberjack Input / Output
-# Cert needed on: Managers, Receivers
-etc_elasticfleetlumberjack_key:
-  x509.private_key_managed:
-    - name: /etc/pki/elasticfleet-lumberjack.key
-    - bits: 4096
-    - backup: True
-    - new: True
-    {% if salt['file.file_exists']('/etc/pki/elasticfleet-lumberjack.key') -%}
-    - prereq:
-      - x509: etc_elasticfleetlumberjack_crt
-    {%- endif %}
-    - retry:
-        attempts: 5
-        interval: 30
-
-etc_elasticfleetlumberjack_crt:
-  x509.certificate_managed:
-    - name: /etc/pki/elasticfleet-lumberjack.crt
-    - ca_server: {{ CA.server }}
-    - signing_policy: general
-    - private_key: /etc/pki/elasticfleet-lumberjack.key
-    - CN: {{ GLOBALS.node_ip }}
-    - subjectAltName: DNS:{{ GLOBALS.hostname }}
-    - days_remaining: 7
-    - days_valid: 820
-    - backup: True
-    - timeout: 30
-    - retry:
-        attempts: 5
-        interval: 30
-  cmd.run:
-    - name: "/usr/bin/openssl pkcs8 -in /etc/pki/elasticfleet-lumberjack.key -topk8 -out /etc/pki/elasticfleet-lumberjack.p8 -nocrypt"
-    - onchanges:
-      - x509: etc_elasticfleetlumberjack_key
-
-eflogstashlumberjackperms:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/elasticfleet-lumberjack.key
-    - mode: 640
-    - group: 939
-
-chownilogstashelasticfleetlumberjackp8:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/elasticfleet-lumberjack.p8
-    - mode: 640
-    - user: 931
-    - group: 939
-
-chownilogstashelasticfleetlogstashlumberjackcrt:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/elasticfleet-lumberjack.crt
-    - mode: 640
-    - user: 931
-    - group: 939
-
-chownilogstashelasticfleetlogstashlumberjackkey:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/elasticfleet-lumberjack.key
-    - mode: 640
-    - user: 931
-    - group: 939
-# End -- Elastic Fleet Node - Logstash Lumberjack Input / Output
-{%   endif %}
-
-{%   if GLOBALS.is_manager or GLOBALS.role in ['so-heavynode', 'so-receiver'] %}
-etc_filebeat_key:
-  x509.private_key_managed:
-    - name: /etc/pki/filebeat.key
-    - keysize: 4096
-    - backup: True
-    - new: True
-    {% if salt['file.file_exists']('/etc/pki/filebeat.key') -%}
-    - prereq:
-      - x509: etc_filebeat_crt
-    {%- endif %}
-    - retry:
-        attempts: 5
-        interval: 30
-
-# Request a cert and drop it where it needs to go to be distributed
-etc_filebeat_crt:
-  x509.certificate_managed:
-    - name: /etc/pki/filebeat.crt
-    - ca_server: {{ CA.server }}
-    - signing_policy: general
-    - private_key: /etc/pki/filebeat.key
-    - CN: {{ GLOBALS.hostname }}
-    - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
-    - days_remaining: 7
-    - days_valid: 820
-    - backup: True
-    - timeout: 30
-    - retry:
-        attempts: 5
-        interval: 30
-  cmd.run:
-    - name: "/usr/bin/openssl pkcs8 -in /etc/pki/filebeat.key -topk8 -out /etc/pki/filebeat.p8 -nocrypt"
-    - onchanges:
-      - x509: etc_filebeat_key
-
-fbperms:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/filebeat.key
-    - mode: 640
-    - group: 939
-
-logstash_filebeat_p8:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/filebeat.p8
-    - mode: 640
-    - user: 931
-    - group: 939
-
-{%     if grains.role not in ['so-heavynode', 'so-receiver'] %}
-# Create Symlinks to the keys so I can distribute it to all the things
-filebeatdir:
-  file.directory:
-    - name: /opt/so/saltstack/local/salt/filebeat/files
-    - makedirs: True
-
-fbkeylink:
-  file.symlink:
-    - name: /opt/so/saltstack/local/salt/filebeat/files/filebeat.p8
-    - target: /etc/pki/filebeat.p8
-    - user: socore
-    - group: socore
-
-fbcrtlink:
-  file.symlink:
-    - name: /opt/so/saltstack/local/salt/filebeat/files/filebeat.crt
-    - target: /etc/pki/filebeat.crt
-    - user: socore
-    - group: socore
-
-{%     endif %}
-{%   endif %}
-
-{%   if GLOBALS.is_manager or GLOBALS.role in ['so-sensor', 'so-searchnode', 'so-heavynode', 'so-fleet', 'so-idh', 'so-receiver'] %}
-   
-fbcertdir:
-  file.directory:
-    - name: /opt/so/conf/filebeat/etc/pki
-    - makedirs: True
-
-conf_filebeat_key:
-  x509.private_key_managed:
-    - name: /opt/so/conf/filebeat/etc/pki/filebeat.key
-    - keysize: 4096
-    - backup: True
-    - new: True
-    {% if salt['file.file_exists']('/opt/so/conf/filebeat/etc/pki/filebeat.key') -%}
-    - prereq:
-      - x509: conf_filebeat_crt
-    {%- endif %}
-    - retry:
-        attempts: 5
-        interval: 30
-
-# Request a cert and drop it where it needs to go to be distributed
-conf_filebeat_crt:
-  x509.certificate_managed:
-    - name: /opt/so/conf/filebeat/etc/pki/filebeat.crt
-    - ca_server: {{ CA.server }}
-    - signing_policy: general
-    - private_key: /opt/so/conf/filebeat/etc/pki/filebeat.key
-    - CN: {{ GLOBALS.hostname }}
-    - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
-    - days_remaining: 7
-    - days_valid: 820
-    - backup: True
-    - timeout: 30
-    - retry:
-        attempts: 5
-        interval: 30
-
-# Convert the key to pkcs#8 so logstash will work correctly.
-filebeatpkcs:
-  cmd.run:
-    - name: "/usr/bin/openssl pkcs8 -in /opt/so/conf/filebeat/etc/pki/filebeat.key -topk8 -out /opt/so/conf/filebeat/etc/pki/filebeat.p8 -passout pass:"
-    - onchanges:
-      - x509: conf_filebeat_key
-
-filebeatkeyperms:
-  file.managed:
-    - replace: False
-    - name: /opt/so/conf/filebeat/etc/pki/filebeat.key
-    - mode: 640
-    - group: 939
-
-chownfilebeatp8:
-  file.managed:
-    - replace: False
-    - name: /opt/so/conf/filebeat/etc/pki/filebeat.p8
-    - mode: 640
-    - user: 931
-    - group: 939
-    
-{%   endif %}
-
-{% else %}
-
-{{sls}}_state_not_allowed:
-  test.fail_without_changes:
-    - name: {{sls}}_state_not_allowed
-
-{% endif %}
--- a/salt/manager/elasticsearch.sls
+++ b/salt/manager/elasticsearch.sls
@@ -1,8 +1,3 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
 elastic_curl_config_distributed:
  file.managed:
    - name: /opt/so/saltstack/local/salt/elasticsearch/curl.config
--- a/salt/manager/kibana.sls
+++ b/salt/manager/kibana.sls
@@ -1,8 +1,3 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
 kibana_curl_config_distributed:
  file.managed:
    - name: /opt/so/conf/kibana/curl.config
@@ -10,4 +5,4 @@ kibana_curl_config_distributed:
    - template: jinja
    - mode: 600
    - show_changes: False
-    - makedirs: True
+    - makedirs: True
--- a/salt/manager/sync_es_users.sls
+++ b/salt/manager/sync_es_users.sls
@@ -1,8 +1,3 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
 include:
  - elasticsearch.auth
  - kratos
--- a/salt/manager/tools/sbin/so-minion
+++ b/salt/manager/tools/sbin/so-minion
@@ -716,18 +716,6 @@ function checkMine() {
 	}
 }

-function create_ca_pillar() {
-	local capillar=/opt/so/saltstack/local/pillar/ca/init.sls
-    printf '%s\n'\
-    "ca:"\
-    "  server: $MINION_ID"\
-	"  " > $capillar
-    if [ $? -ne 0 ]; then
-        log "ERROR" "Failed to add $MINION_ID to $capillar"
-        return 1
-    fi
-}
-
 function createEVAL() {
 	log "INFO" "Creating EVAL configuration for minion $MINION_ID"
 	is_pcaplimit=true
@@ -1025,7 +1013,6 @@ function setupMinionFiles() {
 	managers=("EVAL" "STANDALONE" "IMPORT" "MANAGER" "MANAGERSEARCH")
 	if echo "${managers[@]}" | grep -qw "$NODETYPE"; then
 		add_sensoroni_with_analyze_to_minion || return 1
-		create_ca_pillar || return 1
 	else
 		add_sensoroni_to_minion || return 1
 	fi
--- a/salt/manager/tools/sbin/soup
+++ b/salt/manager/tools/sbin/soup
@@ -325,19 +325,6 @@ clone_to_tmp() {
  fi
 }

-# there is a function like this in so-minion, but we cannot source it since args required for so-minion
-create_ca_pillar() {
-  local ca_pillar_dir="/opt/so/saltstack/local/pillar/ca"
-  local ca_pillar_file="${ca_pillar_dir}/init.sls"
-
-  echo "Updating CA pillar configuration"
-  mkdir -p "$ca_pillar_dir"
-  echo "ca: {}" > "$ca_pillar_file"
-
-  so-yaml.py add "$ca_pillar_file" ca.server "$MINIONID"
-  chown -R socore:socore "$ca_pillar_dir"
-}
-
 disable_logstash_heavynodes() {
  c=0
  printf "\nChecking for heavynodes and disabling Logstash if they exist\n"
@@ -381,6 +368,7 @@ masterlock() {
  echo "base:" > $TOPFILE
  echo "  $MINIONID:" >> $TOPFILE
  echo "    - ca" >> $TOPFILE
+  echo "    - ssl" >> $TOPFILE
  echo "    - elasticsearch" >> $TOPFILE
 }

@@ -446,7 +434,6 @@ preupgrade_changes() {
    [[ "$INSTALLEDVERSION" == 2.4.180 ]] && up_to_2.4.190
    [[ "$INSTALLEDVERSION" == 2.4.190 ]] && up_to_2.4.200
    [[ "$INSTALLEDVERSION" == 2.4.200 ]] && up_to_2.4.210
-    [[ "$INSTALLEDVERSION" == 2.4.210 ]] && up_to_2.4.220
    true
 }

@@ -480,7 +467,6 @@ postupgrade_changes() {
    [[ "$POSTVERSION"  == 2.4.180 ]] && post_to_2.4.190
    [[ "$POSTVERSION"  == 2.4.190 ]] && post_to_2.4.200
    [[ "$POSTVERSION"  == 2.4.200 ]] && post_to_2.4.210
-    [[ "$POSTVERSION"  == 2.4.210 ]] && post_to_2.4.220    
    true
 }

@@ -675,11 +661,6 @@ post_to_2.4.210() {
  POSTVERSION=2.4.210
 }

-post_to_2.4.220() {
-  echo "Nothing to apply"
-  POSTVERSION=2.4.220
-}
-
 repo_sync() {
  echo "Sync the local repo."
  su socore -c '/usr/sbin/so-repo-sync' || fail "Unable to complete so-repo-sync."
@@ -961,12 +942,6 @@ up_to_2.4.210() {
  INSTALLEDVERSION=2.4.210
 }

-up_to_2.4.220() {
-  create_ca_pillar
-
-  INSTALLEDVERSION=2.4.220
-}
-
 add_hydra_pillars() {
  mkdir -p /opt/so/saltstack/local/pillar/hydra
  touch /opt/so/saltstack/local/pillar/hydra/soc_hydra.sls
@@ -1706,11 +1681,9 @@ verify_es_version_compatibility() {
        create_intermediate_upgrade_verification_script $es_verification_script
    fi

-    local es_required_version_statefile_value=$(cat $es_required_version_statefile)
-    echo -e "\n##############################################################################################################################\n"
-    echo "A previously required intermediate Elasticsearch upgrade was detected. Verifying that all Searchnodes/Heavynodes have successfully upgraded Elasticsearch to $es_required_version_statefile_value before proceeding with soup to avoid potential data loss!"
    # create script using version in statefile
-    timeout --foreground 4000 bash "$es_verification_script" "$es_required_version_statefile_value" "$es_required_version_statefile"
+    local es_required_version_statefile_value=$(cat $es_required_version_statefile)
+    timeout --foreground 3600 bash "$es_verification_script" "$es_required_version_statefile_value" "$es_required_version_statefile"
    if [[ $? -ne 0 ]]; then
        echo -e "\n!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n"

@@ -1719,7 +1692,7 @@ verify_es_version_compatibility() {
        echo -e "\n!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n"
        exit 161
    fi
-    echo -e "\n##############################################################################################################################\n"
+
  fi

  if [[ " ${es_upgrade_map[$es_version]} " =~ " $target_es_version " || "$es_version" == "$target_es_version" ]]; then
@@ -1755,7 +1728,7 @@ verify_es_version_compatibility() {
      exec bash -c "BRANCH=$next_step_so_version soup -y && BRANCH=$next_step_so_version soup -y && \
       echo -e \"\n##############################################################################################################################\n\" && \
       echo -e \"Verifying Elasticsearch was successfully upgraded to ${compatible_versions##* } across the grid. This part can take a while as Searchnodes/Heavynodes sync up with the Manager! \n\nOnce verification completes the next soup will begin automatically. If verification takes longer than 1 hour it will stop waiting and your grid will remain at $next_step_so_version. Allowing for all Searchnodes/Heavynodes to upgrade Elasticsearch to the required version on their own time.\n\" \
-       && timeout --foreground 4000 bash /tmp/so_intermediate_upgrade_verification.sh ${compatible_versions##* } $es_required_version_statefile && \
+       && timeout --foreground 3600 bash /tmp/so_intermediate_upgrade_verification.sh ${compatible_versions##* } $es_required_version_statefile && \
       echo -e \"\n##############################################################################################################################\n\" \
       && BRANCH=$originally_requested_so_version soup -y && BRANCH=$originally_requested_so_version soup -y"
    fi
@@ -1797,10 +1770,10 @@ create_intermediate_upgrade_verification_script() {
        local retries=20
        local retry_count=0
        local delay=180
-
+        local success=1
        while [[ $retry_count -lt $retries ]]; do
            # keep stderr with variable for logging
-            heavynode_versions=$(salt -C 'G@role:so-heavynode' cmd.run 'so-elasticsearch-query / --retry 3 --retry-delay 10 | jq ".version.number"' shell=/bin/bash --out=json 2> /dev/null)
+            heavynode_versions=$(salt -C 'G@role:so-heavynode' cmd.run 'so-elasticsearch-query / --retry 3 --retry-delay 10 | jq ".version.number"' shell=/bin/bash --out=json 2>&1)
            local exit_status=$?

            # Check that all heavynodes returned good data
@@ -1816,7 +1789,7 @@ create_intermediate_upgrade_verification_script() {

                    return 0
                else
-                    echo "One or more heavynodes are not at the expected Elasticsearch version $EXPECTED_ES_VERSION. Rechecking in $delay seconds. Attempt $((retry_count + 1)) of $retries."
+                    echo "One or more heavynodes is not at the expected Elasticsearch version $EXPECTED_ES_VERSION. Rechecking in $delay seconds. Attempt $((retry_count + 1)) of $retries."
                    ((retry_count++))
                    sleep $delay

@@ -1841,10 +1814,11 @@ create_intermediate_upgrade_verification_script() {
        local retries=20
        local retry_count=0
        local delay=180
+        local success=1

        while [[ $retry_count -lt $retries ]]; do
            # keep stderr with variable for logging
-            cluster_versions=$(so-elasticsearch-query _nodes/_all/version --retry 5 --retry-delay 10 --fail 2>&1)
+            cluster_versions=$(so-elasticsearch-query _nodes/_all/version --retry 5 --retry-delay 10 2>&1)
            local exit_status=$?

            if [[ $exit_status -ne 0 ]]; then
@@ -1921,7 +1895,7 @@ apply_hotfix() {
      mv /etc/pki/managerssl.crt /etc/pki/managerssl.crt.old
      mv /etc/pki/managerssl.key /etc/pki/managerssl.key.old
      systemctl_func "start" "salt-minion"
-      (wait_for_salt_minion "$MINIONID" "120" "4" "$SOUP_LOG" || fail "Salt minion was not running or ready.") 2>&1 | tee -a "$SOUP_LOG"
+      (wait_for_salt_minion "$MINIONID" "5" '/dev/stdout' || fail "Salt minion was not running or ready.") 2>&1 | tee -a "$SOUP_LOG"
    fi
  else
   echo "No actions required. ($INSTALLEDVERSION/$HOTFIXVERSION)"
@@ -2120,7 +2094,7 @@ main() {
    echo ""
    echo "Running a highstate. This could take several minutes."
    set +e
-    (wait_for_salt_minion "$MINIONID" "120" "4" "$SOUP_LOG" || fail "Salt minion was not running or ready.") 2>&1 | tee -a "$SOUP_LOG"
+    (wait_for_salt_minion "$MINIONID" "5" '/dev/stdout' || fail "Salt minion was not running or ready.") 2>&1 | tee -a "$SOUP_LOG"
    highstate
    set -e

@@ -2133,7 +2107,7 @@ main() {
    check_saltmaster_status

    echo "Running a highstate to complete the Security Onion upgrade on this manager. This could take several minutes."
-    (wait_for_salt_minion "$MINIONID" "120" "4" "$SOUP_LOG" || fail "Salt minion was not running or ready.") 2>&1 | tee -a "$SOUP_LOG"
+    (wait_for_salt_minion "$MINIONID" "5" '/dev/stdout' || fail "Salt minion was not running or ready.") 2>&1 | tee -a "$SOUP_LOG"

    # Stop long-running scripts to allow potentially updated scripts to load on the next execution.
    killall salt-relay.sh
--- a/salt/nginx/config.sls
+++ b/salt/nginx/config.sls
@@ -6,6 +6,9 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}

+include:
+  - ssl
+
 # Drop the correct nginx config based on role
 nginxconfdir:
  file.directory:
--- a/salt/nginx/enabled.sls
+++ b/salt/nginx/enabled.sls
@@ -8,14 +8,81 @@
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 {%   from 'docker/docker.map.jinja' import DOCKER %}
 {%   from 'nginx/map.jinja' import NGINXMERGED %}
+{%   set ca_server = GLOBALS.minion_id %}

 include:
-  - nginx.ssl
  - nginx.config
  - nginx.sostatus

-{%   if GLOBALS.role != 'so-fleet' %}
-{%     set container_config = 'so-nginx' %}
+
+{%   if grains.role not in ['so-fleet'] %}
+
+{#   if the user has selected to replace the crt and key in the ui #}
+{%   if NGINXMERGED.ssl.replace_cert %}
+
+managerssl_key:
+  file.managed:
+    - name: /etc/pki/managerssl.key
+    - source: salt://nginx/ssl/ssl.key
+    - mode: 640
+    - group: 939
+    - watch_in:
+      - docker_container: so-nginx
+
+managerssl_crt:
+  file.managed:
+    - name: /etc/pki/managerssl.crt
+    - source: salt://nginx/ssl/ssl.crt
+    - mode: 644
+    - watch_in:
+      - docker_container: so-nginx
+
+{%   else %}
+
+managerssl_key:
+  x509.private_key_managed:
+    - name: /etc/pki/managerssl.key
+    - keysize: 4096
+    - backup: True
+    - new: True
+    {% if salt['file.file_exists']('/etc/pki/managerssl.key') -%}
+    - prereq:
+      - x509: /etc/pki/managerssl.crt
+    {%- endif %}
+    - retry:
+        attempts: 5
+        interval: 30
+    - watch_in:
+      - docker_container: so-nginx
+
+# Create a cert for the reverse proxy
+managerssl_crt:
+  x509.certificate_managed:
+    - name: /etc/pki/managerssl.crt
+    - ca_server: {{ ca_server }}
+    - signing_policy: managerssl
+    - private_key: /etc/pki/managerssl.key
+    - CN: {{ GLOBALS.hostname }}
+    - subjectAltName: "DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}, DNS:{{ GLOBALS.url_base }}" 
+    - days_remaining: 0
+    - days_valid: 820
+    - backup: True
+    - timeout: 30
+    - retry:
+        attempts: 5
+        interval: 30
+    - watch_in:
+      - docker_container: so-nginx
+
+{%   endif %}
+
+msslkeyperms:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/managerssl.key
+    - mode: 640
+    - group: 939
+
 make-rule-dir-nginx:
  file.directory:
    - name: /nsm/rules
@@ -25,12 +92,16 @@ make-rule-dir-nginx:
      - user
      - group
    - show_changes: False
-
-{%   else %}
-{#     if this is an so-fleet node then we want to use the port bindings, custom bind mounts defined for fleet #}
-{%     set container_config = 'so-nginx-fleet-node' %}
+      
 {%   endif %}

+{# if this is an so-fleet node then we want to use the port bindings, custom bind mounts defined for fleet #}
+{% if GLOBALS.role == 'so-fleet' %}
+{%   set container_config = 'so-nginx-fleet-node' %}
+{% else %}
+{%   set container_config = 'so-nginx' %}
+{% endif %}
+
 so-nginx:
  docker_container.running:
    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-nginx:{{ GLOBALS.so_version }}
@@ -83,27 +154,18 @@ so-nginx:
    - watch:
      - file: nginxconf
      - file: nginxconfdir
-      {% if GLOBALS.is_manager %}
-      {%   if NGINXMERGED.ssl.replace_cert %}
-      - file: managerssl_key
-      - file: managerssl_crt
-      {%   else %}
-      - x509: managerssl_key
-      - x509: managerssl_crt
-      {%   endif%}
-      {% endif %}
    - require:
      - file: nginxconf
-      {% if GLOBALS.is_manager %}
-      {%   if NGINXMERGED.ssl.replace_cert %}
+{% if GLOBALS.is_manager %}
+{%     if NGINXMERGED.ssl.replace_cert %}
      - file: managerssl_key
      - file: managerssl_crt
-      {%   else %}
+{%     else %}
      - x509: managerssl_key
      - x509: managerssl_crt
-      {%   endif%}
+{%     endif%}
      - file: navigatorconfig
-      {% endif %}
+{%   endif %}

 delete_so-nginx_so-status.disabled:
  file.uncomment:
--- a/salt/nginx/ssl.sls
+++ b/salt/nginx/ssl.sls
@@ -1,87 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{% from 'allowed_states.map.jinja' import allowed_states %}
-{% if sls.split('.')[0] in allowed_states %}
-{%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'nginx/map.jinja' import NGINXMERGED %}
-{%   from 'ca/map.jinja' import CA %}
-
-{%   if GLOBALS.role != 'so-fleet' %}
-{#     if the user has selected to replace the crt and key in the ui #}
-{%     if NGINXMERGED.ssl.replace_cert %}
-
-managerssl_key:
-  file.managed:
-    - name: /etc/pki/managerssl.key
-    - source: salt://nginx/ssl/ssl.key
-    - mode: 640
-    - group: 939
-    - watch_in:
-      - docker_container: so-nginx
-
-managerssl_crt:
-  file.managed:
-    - name: /etc/pki/managerssl.crt
-    - source: salt://nginx/ssl/ssl.crt
-    - mode: 644
-    - watch_in:
-      - docker_container: so-nginx
-
-{%   else %}
-
-managerssl_key:
-  x509.private_key_managed:
-    - name: /etc/pki/managerssl.key
-    - keysize: 4096
-    - backup: True
-    - new: True
-    {% if salt['file.file_exists']('/etc/pki/managerssl.key') -%}
-    - prereq:
-      - x509: /etc/pki/managerssl.crt
-    {%- endif %}
-    - retry:
-        attempts: 5
-        interval: 30
-    - watch_in:
-      - docker_container: so-nginx
-
-# Create a cert for the reverse proxy
-managerssl_crt:
-  x509.certificate_managed:
-    - name: /etc/pki/managerssl.crt
-    - ca_server: {{ CA.server }}
-    - signing_policy: general
-    - private_key: /etc/pki/managerssl.key
-    - CN: {{ GLOBALS.hostname }}
-    - subjectAltName: "DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}, DNS:{{ GLOBALS.url_base }}" 
-    - days_remaining: 7
-    - days_valid: 820
-    - backup: True
-    - timeout: 30
-    - retry:
-        attempts: 5
-        interval: 30
-    - watch_in:
-      - docker_container: so-nginx
-
-{%     endif %}
-
-msslkeyperms:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/managerssl.key
-    - mode: 640
-    - group: 939
-
-{%   endif %}
-
-{% else %}
-
-{{sls}}_state_not_allowed:
-  test.fail_without_changes:
-    - name: {{sls}}_state_not_allowed
-
-{% endif %}
--- a/salt/pcap/ca.sls
+++ b/salt/pcap/ca.sls
@@ -1,22 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{% from 'allowed_states.map.jinja' import allowed_states %}
-{% if sls.split('.')[0] in allowed_states or sls in allowed_states%}
-
-stenoca:
-  file.directory:
-    - name: /opt/so/conf/steno/certs
-    - user: 941
-    - group: 939
-    - makedirs: True
-
-{% else %}
-
-{{sls}}_state_not_allowed:
-  test.fail_without_changes:
-    - name: {{sls}}_state_not_allowed
-
-{% endif %}
--- a/salt/pcap/config.sls
+++ b/salt/pcap/config.sls
@@ -57,6 +57,12 @@ stenoconf:
        PCAPMERGED: {{ PCAPMERGED }}
        STENO_BPF_COMPILED: "{{ STENO_BPF_COMPILED }}"

+stenoca:
+  file.directory:
+    - name: /opt/so/conf/steno/certs
+    - user: 941
+    - group: 939
+
 pcaptmpdir:
  file.directory:
    - name: /nsm/pcaptmp
--- a/salt/pcap/enabled.sls
+++ b/salt/pcap/enabled.sls
@@ -10,7 +10,6 @@


 include:
-  - pcap.ca
  - pcap.config
  - pcap.sostatus

--- a/salt/redis/config.sls
+++ b/salt/redis/config.sls
@@ -7,6 +7,9 @@
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'redis/map.jinja' import REDISMERGED %}

+include:
+  - ssl
+
 # Redis Setup
 redisconfdir:
  file.directory:
--- a/salt/redis/enabled.sls
+++ b/salt/redis/enabled.sls
@@ -9,8 +9,6 @@
 {%   from 'vars/globals.map.jinja' import GLOBALS %}

 include:
-  - ca
-  - redis.ssl
  - redis.config
  - redis.sostatus

@@ -33,7 +31,11 @@ so-redis:
      - /nsm/redis/data:/data:rw
      - /etc/pki/redis.crt:/certs/redis.crt:ro
      - /etc/pki/redis.key:/certs/redis.key:ro
+      {% if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-import'] %}
+      - /etc/pki/ca.crt:/certs/ca.crt:ro
+      {% else %}
      - /etc/pki/tls/certs/intca.crt:/certs/ca.crt:ro
+      {% endif %}
      {% if DOCKER.containers['so-redis'].custom_bind_mounts %}
        {% for BIND in DOCKER.containers['so-redis'].custom_bind_mounts %}
      - {{ BIND }}
@@ -53,14 +55,16 @@ so-redis:
    {% endif %}
    - entrypoint: "redis-server /usr/local/etc/redis/redis.conf"
    - watch:
-      - file: trusttheca
-      - x509: redis_crt
-      - x509: redis_key
      - file: /opt/so/conf/redis/etc
    - require:
-      - file: trusttheca
+      - file: redisconf
      - x509: redis_crt
      - x509: redis_key
+      {% if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-import'] %}
+      - x509: pki_public_ca_crt
+      {% else %}
+      - x509: trusttheca
+      {% endif %}

 delete_so-redis_so-status.disabled:
  file.uncomment:
--- a/salt/redis/ssl.sls
+++ b/salt/redis/ssl.sls
@@ -1,54 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{% from 'allowed_states.map.jinja' import allowed_states %}
-{% if sls.split('.')[0] in allowed_states %}
-{%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'ca/map.jinja' import CA %}
-
-redis_key:
-  x509.private_key_managed:
-    - name: /etc/pki/redis.key
-    - keysize: 4096
-    - backup: True
-    - new: True
-    {% if salt['file.file_exists']('/etc/pki/redis.key') -%}
-    - prereq:
-      - x509: /etc/pki/redis.crt
-    {%- endif %}
-    - retry:
-        attempts: 5
-        interval: 30
-
-redis_crt:
-  x509.certificate_managed:
-    - name: /etc/pki/redis.crt
-    - ca_server: {{ CA.server }}
-    - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
-    - signing_policy: general
-    - private_key: /etc/pki/redis.key
-    - CN: {{ GLOBALS.hostname }}
-    - days_remaining: 7
-    - days_valid: 820
-    - backup: True
-    - timeout: 30
-    - retry:
-        attempts: 5
-        interval: 30
-
-rediskeyperms:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/redis.key
-    - mode: 640
-    - group: 939
-
-{% else %}
-
-{{sls}}_state_not_allowed:
-  test.fail_without_changes:
-    - name: {{sls}}_state_not_allowed
-
-{% endif %}
--- a/salt/registry/config.sls
+++ b/salt/registry/config.sls
@@ -6,6 +6,9 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}

+include:
+  - ssl
+
 # Create the config directory for the docker registry
 dockerregistryconfdir:
  file.directory:
--- a/salt/registry/enabled.sls
+++ b/salt/registry/enabled.sls
@@ -9,7 +9,6 @@
 {%   from 'docker/docker.map.jinja' import DOCKER %}

 include:
-  - registry.ssl
  - registry.config
  - registry.sostatus

@@ -54,9 +53,6 @@ so-dockerregistry:
    - retry:
        attempts: 5
        interval: 30
-    - watch:
-      - x509: registry_crt
-      - x509: registry_key
    - require:
      - file: dockerregistryconf
      - x509: registry_crt
--- a/salt/registry/ssl.sls
+++ b/salt/registry/ssl.sls
@@ -1,77 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{% from 'allowed_states.map.jinja' import allowed_states %}
-{% if sls.split('.')[0] in allowed_states %}
-{%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'ca/map.jinja' import CA %}
-
-include:
-  - ca
-
-# Delete directory if it exists at the key path
-registry_key_cleanup:
-  file.absent:
-    - name: /etc/pki/registry.key
-    - onlyif:
-      - test -d /etc/pki/registry.key
-
-registry_key:
-  x509.private_key_managed:
-    - name: /etc/pki/registry.key
-    - keysize: 4096
-    - backup: True
-    - new: True
-    - require:
-      - file: registry_key_cleanup
-    {% if salt['file.file_exists']('/etc/pki/registry.key') -%}
-    - prereq:
-      - x509: /etc/pki/registry.crt
-    {%- endif %}
-    - retry:
-        attempts: 15
-        interval: 10
-
-# Delete directory if it exists at the crt path
-registry_crt_cleanup:
-  file.absent:
-    - name: /etc/pki/registry.crt
-    - onlyif:
-      - test -d /etc/pki/registry.crt
-
-# Create a cert for the docker registry
-registry_crt:
-  x509.certificate_managed:
-    - name: /etc/pki/registry.crt
-    - ca_server: {{ CA.server }}
-    - subjectAltName: DNS:{{ GLOBALS.manager }}, IP:{{ GLOBALS.manager_ip }} 
-    - signing_policy: general
-    - private_key: /etc/pki/registry.key
-    - CN: {{ GLOBALS.manager }}
-    - days_remaining: 7
-    - days_valid: 820
-    - backup: True
-    - require:
-      - file: registry_crt_cleanup
-    - timeout: 30
-    - retry:
-        attempts: 15
-        interval: 10
-
-
-regkeyperms:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/registry.key
-    - mode: 640
-    - group: 939
-
-{% else %}
-
-{{sls}}_state_not_allowed:
-  test.fail_without_changes:
-    - name: {{sls}}_state_not_allowed
-
-{% endif %}
--- a/salt/salt/engines/master/checkmine.py
+++ b/salt/salt/engines/master/checkmine.py
@@ -46,6 +46,33 @@ def start(interval=60):
                mine_update(minion)
                continue

+            # if a manager check that the ca in in the mine and it is correct
+            if minion.split('_')[-1] in ['manager', 'managersearch', 'eval', 'standalone', 'import']:
+                x509 = __salt__['saltutil.runner']('mine.get', tgt=minion, fun='x509.get_pem_entries')
+                try:
+                    ca_crt = x509[minion]['/etc/pki/ca.crt']
+                    log.debug('checkmine engine: found minion %s has ca_crt: %s' % (minion, ca_crt))
+                    # since the cert is defined, make sure it is valid
+                    import salt.modules.x509_v2 as x509_v2
+                    if not x509_v2.verify_private_key('/etc/pki/ca.key', '/etc/pki/ca.crt'):
+                        log.error('checkmine engine: found minion %s does\'t have a valid ca_crt in the mine' % (minion))
+                        log.error('checkmine engine: %s: ca_crt: %s' % (minion, ca_crt))
+                        mine_delete(minion, 'x509.get_pem_entries')
+                        mine_update(minion)
+                        continue
+                    else:
+                        log.debug('checkmine engine: found minion %s has a valid ca_crt in the mine' % (minion))
+                except IndexError:
+                    log.error('checkmine engine: found minion %s does\'t have a ca_crt in the mine' % (minion))
+                    mine_delete(minion, 'x509.get_pem_entries')
+                    mine_update(minion)
+                    continue
+                except KeyError:
+                    log.error('checkmine engine: found minion %s is not in the mine' % (minion))
+                    mine_flush(minion)
+                    mine_update(minion)
+                    continue
+
            # Update the mine if the ip in the mine doesn't match returned from manage.alived
            network_ip_addrs = __salt__['saltutil.runner']('mine.get', tgt=minion, fun='network.ip_addrs')
            try:
--- a/salt/salt/mine_functions.sls
+++ b/salt/salt/mine_functions.sls
@@ -18,6 +18,10 @@ mine_functions:
        mine_functions:
          network.ip_addrs:
            - interface: {{ interface }}
+        {%- if role in ['so-eval','so-import','so-manager','so-managerhype','so-managersearch','so-standalone'] %}
+          x509.get_pem_entries:
+            - glob_path: '/etc/pki/ca.crt'
+        {% endif %}

 mine_update_mine_functions:
  module.run:
--- a/salt/salt/minion/init.sls
+++ b/salt/salt/minion/init.sls
@@ -17,8 +17,8 @@ include:
  - repo.client
  - salt.mine_functions
  - salt.minion.service_file
-{% if GLOBALS.is_manager %}
-  - ca.signing_policy
+{% if GLOBALS.role in GLOBALS.manager_roles %}
+  - ca
 {% endif %}

 {% if INSTALLEDSALTVERSION|string != SALTVERSION|string %}
@@ -111,7 +111,7 @@ salt_minion_service:
 {% if INSTALLEDSALTVERSION|string == SALTVERSION|string %}
      - file: set_log_levels
 {% endif %}
-{% if GLOBALS.is_manager %}
-      - file: signing_policy
+{% if GLOBALS.role in GLOBALS.manager_roles %}
+      - file: /etc/salt/minion.d/signing_policies.conf
 {% endif %}
    - order: last
--- a/salt/sensoroni/enabled.sls
+++ b/salt/sensoroni/enabled.sls
@@ -8,9 +8,6 @@


 include:
-{% if GLOBALS.is_sensor or GLOBALS.role == 'so-import' %}
-  - pcap.ca
-{% endif %}
  - sensoroni.config
  - sensoroni.sostatus

@@ -19,9 +16,7 @@ so-sensoroni:
    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-soc:{{ GLOBALS.so_version }}
    - network_mode: host
    - binds:
-      {% if GLOBALS.is_sensor or GLOBALS.role == 'so-import' %}
      - /opt/so/conf/steno/certs:/etc/stenographer/certs:rw
-      {% endif %}
      - /nsm/pcap:/nsm/pcap:rw
      - /nsm/import:/nsm/import:rw
      - /nsm/pcapout:/nsm/pcapout:rw
--- a/salt/sensoroni/files/templates/reports/standard/case_report.md
+++ b/salt/sensoroni/files/templates/reports/standard/case_report.md
@@ -130,42 +130,4 @@ Security Onion Case Report
 | ---- | ---- | ------ | --------- |
 {{ range sortHistory "CreateTime" "asc" .History -}}
 | {{formatDateTime "Mon Jan 02 15:04:05 -0700 2006" .CreateTime}} | {{getUserDetail "email" .UserId}} | {{.Kind}} | {{.Operation}} |
-{{end}}
-
-## Attached Onion AI Sessions
-
-{{ range $idx, $session := sortAssistantSessionDetails "CreateTime" "desc" .AssistantSessions }}
-
-#### Session {{ add $idx 1 }}
-
-**Session ID:** {{$session.Session.SessionId}}
-
-**Title:** {{$session.Session.Title}}
-
-**User ID:** {{getUserDetail "email" $session.Session.UserId}}
-
-**Created:** {{formatDateTime "Mon Jan 02 15:04:05 -0700 2006" $session.Session.CreateTime}}
-
-**Updated:** {{formatDateTime "Mon Jan 02 15:04:05 -0700 2006" $session.Session.UpdateTime}}
-
-{{ if $session.Session.DeleteTime }}
-**Deleted:** {{ formatDateTime "Mon Jan 02 15:04:05 -0700 2006" $session.Session.DeleteTime}}
-{{ end }}
-
-#### Messages
-
-{{ range $index, $msg := sortAssistantMessages "CreateTime" "asc" $session.History }}
-{{ range $i, $block := $msg.Message.ContentBlocks }}
-
-{{ if eq $block.Type "text" }}
-
-**Role:** {{$msg.Message.Role}}
-
-{{ stripEmoji $block.Text }}
-
---
-
-{{ end }}{{ end }}
-
-{{end}}
 {{end}}
--- a/salt/soc/enabled.sls
+++ b/salt/soc/enabled.sls
@@ -11,7 +11,6 @@
 {%   from 'soc/merged.map.jinja' import SOCMERGED %}

 include:
-  - ca
  - soc.config
  - soc.sostatus

@@ -56,7 +55,7 @@ so-soc:
      - /opt/so/conf/soc/migrations:/opt/so/conf/soc/migrations:rw
      - /nsm/backup/detections-migration:/nsm/backup/detections-migration:ro
      - /opt/so/state:/opt/so/state:rw
-      - /etc/pki/tls/certs/intca.crt:/opt/sensoroni/html/so-ca.crt:ro
+      - /etc/pki/ca.crt:/opt/sensoroni/html/so-ca.crt:ro
    - extra_hosts:
    {% for node in DOCKER_EXTRA_HOSTS %}
    {%   for hostname, ip in node.items() %}
@@ -79,10 +78,8 @@ so-soc:
    {%   endfor %}
    {% endif %}
    - watch:
-      - file: trusttheca
      - file: /opt/so/conf/soc/*
    - require:
-      - file: trusttheca
      - file: socdatadir
      - file: soclogdir
      - file: socconfig
--- a/salt/ssl/init.sls
+++ b/salt/ssl/init.sls
@@ -0,0 +1,720 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls in allowed_states %}
+{% from 'vars/globals.map.jinja' import GLOBALS %}
+
+{%   from 'elasticfleet/map.jinja' import ELASTICFLEETMERGED %}
+
+{% set global_ca_text = [] %}
+{% set global_ca_server = [] %}
+{% if grains.role in ['so-heavynode'] %}
+  {% set COMMONNAME = GLOBALS.hostname %}
+{% else %}
+  {% set COMMONNAME = GLOBALS.manager %}
+{% endif %}
+
+{% if GLOBALS.is_manager %}
+include:
+  - ca
+    {% set trusttheca_text = salt['cp.get_file_str']('/etc/pki/ca.crt')|replace('\n', '') %}
+    {% set ca_server = grains.id %}
+{% else %}
+include:
+  - ca.dirs
+    {% set x509dict = salt['mine.get'](GLOBALS.manager | lower~'*', 'x509.get_pem_entries') %}
+    {% for host in x509dict %}
+      {% if 'manager' in host.split('_')|last or host.split('_')|last == 'standalone' %}
+        {% do global_ca_text.append(x509dict[host].get('/etc/pki/ca.crt')|replace('\n', '')) %}
+        {% do global_ca_server.append(host) %}
+      {% endif %}
+    {% endfor %}
+    {% set trusttheca_text = global_ca_text[0] %}
+    {% set ca_server = global_ca_server[0] %}
+{% endif %}
+
+cacertdir:
+  file.directory:
+    - name: /etc/pki/tls/certs
+    - makedirs: True
+
+# Trust the CA
+trusttheca:
+  x509.pem_managed:
+    - name: /etc/pki/tls/certs/intca.crt
+    - text:  {{ trusttheca_text }}
+
+{% if GLOBALS.os_family == 'Debian' %}
+symlinkca:
+  file.symlink:
+    - target: /etc/pki/tls/certs/intca.crt
+    - name: /etc/ssl/certs/intca.crt
+{% endif %}
+
+# Install packages needed for the sensor
+m2cryptopkgs:
+  pkg.installed:
+    - skip_suggestions: False
+    - pkgs:
+      - python3-m2crypto
+
+influxdb_key:
+  x509.private_key_managed:
+    - name: /etc/pki/influxdb.key
+    - keysize: 4096
+    - backup: True
+    - new: True
+    {% if salt['file.file_exists']('/etc/pki/influxdb.key') -%}
+    - prereq:
+      - x509: /etc/pki/influxdb.crt
+    {%- endif %}
+    - retry:
+        attempts: 5
+        interval: 30
+
+# Create a cert for the talking to influxdb
+influxdb_crt:
+  x509.certificate_managed:
+    - name: /etc/pki/influxdb.crt
+    - ca_server: {{ ca_server }}
+    - signing_policy: influxdb
+    - private_key: /etc/pki/influxdb.key
+    - CN: {{ GLOBALS.hostname }}
+    - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} 
+    - days_remaining: 0
+    - days_valid: 820
+    - backup: True
+    - timeout: 30
+    - retry:
+        attempts: 5
+        interval: 30
+
+influxkeyperms:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/influxdb.key
+    - mode: 640
+    - group: 939
+
+{% if GLOBALS.is_manager or GLOBALS.role in ['so-heavynode', 'so-fleet', 'so-receiver'] %}
+# Create a cert for Redis encryption
+redis_key:
+  x509.private_key_managed:
+    - name: /etc/pki/redis.key
+    - keysize: 4096
+    - backup: True
+    - new: True
+    {% if salt['file.file_exists']('/etc/pki/redis.key') -%}
+    - prereq:
+      - x509: /etc/pki/redis.crt
+    {%- endif %}
+    - retry:
+        attempts: 5
+        interval: 30
+
+redis_crt:
+  x509.certificate_managed:
+    - name: /etc/pki/redis.crt
+    - ca_server: {{ ca_server }}
+    - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
+    - signing_policy: registry
+    - private_key: /etc/pki/redis.key
+    - CN: {{ GLOBALS.hostname }}
+    - days_remaining: 0
+    - days_valid: 820
+    - backup: True
+    - timeout: 30
+    - retry:
+        attempts: 5
+        interval: 30
+
+rediskeyperms:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/redis.key
+    - mode: 640
+    - group: 939
+{% endif %}
+
+{% if GLOBALS.is_manager or GLOBALS.role in ['so-heavynode', 'so-fleet', 'so-receiver'] %}
+
+{% if grains['role'] not in [ 'so-heavynode', 'so-receiver'] %}
+# Start -- Elastic Fleet Host Cert
+etc_elasticfleet_key:
+  x509.private_key_managed:
+    - name: /etc/pki/elasticfleet-server.key
+    - keysize: 4096
+    - backup: True
+    - new: True
+    {% if salt['file.file_exists']('/etc/pki/elasticfleet-server.key') -%}
+    - prereq:
+      - x509: etc_elasticfleet_crt
+    {%- endif %}
+    - retry:
+        attempts: 5
+        interval: 30
+
+etc_elasticfleet_crt:
+  x509.certificate_managed:
+    - name: /etc/pki/elasticfleet-server.crt
+    - ca_server: {{ ca_server }}
+    - signing_policy: elasticfleet
+    - private_key: /etc/pki/elasticfleet-server.key
+    - CN: {{ GLOBALS.hostname }}
+    - subjectAltName: DNS:{{ GLOBALS.hostname }},DNS:{{ GLOBALS.url_base }},IP:{{ GLOBALS.node_ip }}{% if ELASTICFLEETMERGED.config.server.custom_fqdn | length > 0 %},DNS:{{ ELASTICFLEETMERGED.config.server.custom_fqdn | join(',DNS:') }}{% endif %}
+    - days_remaining: 0
+    - days_valid: 820
+    - backup: True
+    - timeout: 30
+    - retry:
+        attempts: 5
+        interval: 30
+
+efperms:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/elasticfleet-server.key
+    - mode: 640
+    - group: 939
+
+chownelasticfleetcrt:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/elasticfleet-server.crt
+    - mode: 640
+    - user: 947
+    - group: 939
+
+chownelasticfleetkey:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/elasticfleet-server.key
+    - mode: 640
+    - user: 947
+    - group: 939
+# End -- Elastic Fleet Host Cert
+{% endif %} # endif is for not including HeavyNodes & Receivers 
+
+{% if grains['role'] not in [ 'so-heavynode'] %}
+# Start -- Elastic Fleet Logstash Input Cert
+etc_elasticfleet_logstash_key:
+  x509.private_key_managed:
+    - name: /etc/pki/elasticfleet-logstash.key
+    - keysize: 4096
+    - backup: True
+    - new: True
+    {% if salt['file.file_exists']('/etc/pki/elasticfleet-logstash.key') -%}
+    - prereq:
+      - x509: etc_elasticfleet_logstash_crt
+    {%- endif %}
+    - retry:
+        attempts: 5
+        interval: 30
+
+etc_elasticfleet_logstash_crt:
+  x509.certificate_managed:
+    - name: /etc/pki/elasticfleet-logstash.crt
+    - ca_server: {{ ca_server }}
+    - signing_policy: elasticfleet
+    - private_key: /etc/pki/elasticfleet-logstash.key
+    - CN: {{ GLOBALS.hostname }}
+    - subjectAltName: DNS:{{ GLOBALS.hostname }},DNS:{{ GLOBALS.url_base }},IP:{{ GLOBALS.node_ip }}{% if ELASTICFLEETMERGED.config.server.custom_fqdn | length > 0 %},DNS:{{ ELASTICFLEETMERGED.config.server.custom_fqdn | join(',DNS:') }}{% endif %}
+    - days_remaining: 0
+    - days_valid: 820
+    - backup: True
+    - timeout: 30
+    - retry:
+        attempts: 5
+        interval: 30
+  cmd.run:
+    - name: "/usr/bin/openssl pkcs8 -in /etc/pki/elasticfleet-logstash.key -topk8 -out /etc/pki/elasticfleet-logstash.p8 -nocrypt"
+    - onchanges:
+      - x509: etc_elasticfleet_logstash_key
+
+eflogstashperms:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/elasticfleet-logstash.key
+    - mode: 640
+    - group: 939
+
+chownelasticfleetlogstashcrt:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/elasticfleet-logstash.crt
+    - mode: 640
+    - user: 931
+    - group: 939
+
+chownelasticfleetlogstashkey:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/elasticfleet-logstash.key
+    - mode: 640
+    - user: 931
+    - group: 939
+# End -- Elastic Fleet Logstash Input Cert
+{% endif %} # endif is for not including HeavyNodes 
+
+# Start -- Elastic Fleet Node - Logstash Lumberjack Input / Output
+# Cert needed on: Managers, Receivers
+etc_elasticfleetlumberjack_key:
+  x509.private_key_managed:
+    - name: /etc/pki/elasticfleet-lumberjack.key
+    - bits: 4096
+    - backup: True
+    - new: True
+    {% if salt['file.file_exists']('/etc/pki/elasticfleet-lumberjack.key') -%}
+    - prereq:
+      - x509: etc_elasticfleetlumberjack_crt
+    {%- endif %}
+    - retry:
+        attempts: 5
+        interval: 30
+
+etc_elasticfleetlumberjack_crt:
+  x509.certificate_managed:
+    - name: /etc/pki/elasticfleet-lumberjack.crt
+    - ca_server: {{ ca_server }}
+    - signing_policy: elasticfleet
+    - private_key: /etc/pki/elasticfleet-lumberjack.key
+    - CN: {{ GLOBALS.node_ip }}
+    - subjectAltName: DNS:{{ GLOBALS.hostname }}
+    - days_remaining: 0
+    - days_valid: 820
+    - backup: True
+    - timeout: 30
+    - retry:
+        attempts: 5
+        interval: 30
+  cmd.run:
+    - name: "/usr/bin/openssl pkcs8 -in /etc/pki/elasticfleet-lumberjack.key -topk8 -out /etc/pki/elasticfleet-lumberjack.p8 -nocrypt"
+    - onchanges:
+      - x509: etc_elasticfleetlumberjack_key
+
+eflogstashlumberjackperms:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/elasticfleet-lumberjack.key
+    - mode: 640
+    - group: 939
+
+chownilogstashelasticfleetlumberjackp8:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/elasticfleet-lumberjack.p8
+    - mode: 640
+    - user: 931
+    - group: 939
+
+chownilogstashelasticfleetlogstashlumberjackcrt:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/elasticfleet-lumberjack.crt
+    - mode: 640
+    - user: 931
+    - group: 939
+
+chownilogstashelasticfleetlogstashlumberjackkey:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/elasticfleet-lumberjack.key
+    - mode: 640
+    - user: 931
+    - group: 939
+
+# End -- Elastic Fleet Node - Logstash Lumberjack Input / Output
+
+# Start -- Elastic Fleet Client Cert for Agent (Mutual Auth with Logstash Output)
+etc_elasticfleet_agent_key:
+  x509.private_key_managed:
+    - name: /etc/pki/elasticfleet-agent.key
+    - keysize: 4096
+    - backup: True
+    - new: True
+    {% if salt['file.file_exists']('/etc/pki/elasticfleet-agent.key') -%}
+    - prereq:
+      - x509: etc_elasticfleet_agent_crt
+    {%- endif %}
+    - retry:
+        attempts: 5
+        interval: 30
+
+etc_elasticfleet_agent_crt:
+  x509.certificate_managed:
+    - name: /etc/pki/elasticfleet-agent.crt
+    - ca_server: {{ ca_server }}
+    - signing_policy: elasticfleet
+    - private_key: /etc/pki/elasticfleet-agent.key
+    - CN: {{ GLOBALS.hostname }}
+    - days_remaining: 0
+    - days_valid: 820
+    - backup: True
+    - timeout: 30
+    - retry:
+        attempts: 5
+        interval: 30
+  cmd.run:
+    - name: "/usr/bin/openssl pkcs8 -in /etc/pki/elasticfleet-agent.key -topk8 -out /etc/pki/elasticfleet-agent.p8 -nocrypt"
+    - onchanges:
+      - x509: etc_elasticfleet_agent_key
+
+efagentperms:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/elasticfleet-agent.key
+    - mode: 640
+    - group: 939
+
+chownelasticfleetagentcrt:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/elasticfleet-agent.crt
+    - mode: 640
+    - user: 947
+    - group: 939
+
+chownelasticfleetagentkey:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/elasticfleet-agent.key
+    - mode: 640
+    - user: 947
+    - group: 939
+# End -- Elastic Fleet Client Cert for Agent (Mutual Auth with Logstash Output)
+
+{% endif %}
+
+{% if GLOBALS.is_manager or GLOBALS.role in ['so-heavynode', 'so-receiver'] %}
+etc_filebeat_key:
+  x509.private_key_managed:
+    - name: /etc/pki/filebeat.key
+    - keysize: 4096
+    - backup: True
+    - new: True
+    {% if salt['file.file_exists']('/etc/pki/filebeat.key') -%}
+    - prereq:
+      - x509: etc_filebeat_crt
+    {%- endif %}
+    - retry:
+        attempts: 5
+        interval: 30
+
+# Request a cert and drop it where it needs to go to be distributed
+etc_filebeat_crt:
+  x509.certificate_managed:
+    - name: /etc/pki/filebeat.crt
+    - ca_server: {{ ca_server }}
+    - signing_policy: filebeat
+    - private_key: /etc/pki/filebeat.key
+    - CN: {{ GLOBALS.hostname }}
+    - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
+    - days_remaining: 0
+    - days_valid: 820
+    - backup: True
+    - timeout: 30
+    - retry:
+        attempts: 5
+        interval: 30
+  cmd.run:
+    - name: "/usr/bin/openssl pkcs8 -in /etc/pki/filebeat.key -topk8 -out /etc/pki/filebeat.p8 -nocrypt"
+    - onchanges:
+      - x509: etc_filebeat_key
+
+fbperms:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/filebeat.key
+    - mode: 640
+    - group: 939
+
+chownilogstashfilebeatp8:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/filebeat.p8
+    - mode: 640
+    - user: 931
+    - group: 939
+
+  {% if grains.role not in ['so-heavynode', 'so-receiver'] %}
+# Create Symlinks to the keys so I can distribute it to all the things
+filebeatdir:
+  file.directory:
+    - name: /opt/so/saltstack/local/salt/filebeat/files
+    - makedirs: True
+
+fbkeylink:
+  file.symlink:
+    - name: /opt/so/saltstack/local/salt/filebeat/files/filebeat.p8
+    - target: /etc/pki/filebeat.p8
+    - user: socore
+    - group: socore
+
+fbcrtlink:
+  file.symlink:
+    - name: /opt/so/saltstack/local/salt/filebeat/files/filebeat.crt
+    - target: /etc/pki/filebeat.crt
+    - user: socore
+    - group: socore
+
+registry_key:
+  x509.private_key_managed:
+    - name: /etc/pki/registry.key
+    - keysize: 4096
+    - backup: True
+    - new: True
+    {% if salt['file.file_exists']('/etc/pki/registry.key') -%}
+    - prereq:
+      - x509: /etc/pki/registry.crt
+    {%- endif %}
+    - retry:
+        attempts: 5
+        interval: 30
+
+# Create a cert for the docker registry
+registry_crt:
+  x509.certificate_managed:
+    - name: /etc/pki/registry.crt
+    - ca_server: {{ ca_server }}
+    - subjectAltName: DNS:{{ GLOBALS.manager }}, IP:{{ GLOBALS.manager_ip }} 
+    - signing_policy: registry
+    - private_key: /etc/pki/registry.key
+    - CN: {{ GLOBALS.manager }}
+    - days_remaining: 0
+    - days_valid: 820
+    - backup: True
+    - timeout: 30
+    - retry:
+        attempts: 5
+        interval: 30
+
+regkeyperms:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/registry.key
+    - mode: 640
+    - group: 939
+
+  {% endif %}
+  {% if grains.role not in ['so-receiver'] %}
+# Create a cert for elasticsearch
+/etc/pki/elasticsearch.key:
+  x509.private_key_managed:
+    - keysize: 4096
+    - backup: True
+    - new: True
+    {% if salt['file.file_exists']('/etc/pki/elasticsearch.key') -%}
+    - prereq:
+      - x509: /etc/pki/elasticsearch.crt
+    {%- endif %}
+    - retry:
+        attempts: 5
+        interval: 30
+
+/etc/pki/elasticsearch.crt:
+  x509.certificate_managed:
+    - ca_server: {{ ca_server }}
+    - signing_policy: registry
+    - private_key: /etc/pki/elasticsearch.key
+    - CN: {{ GLOBALS.hostname }}
+    - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
+    - days_remaining: 0
+    - days_valid: 820
+    - backup: True
+    - timeout: 30
+    - retry:
+        attempts: 5
+        interval: 30
+  cmd.run:
+    - name: "/usr/bin/openssl pkcs12 -inkey /etc/pki/elasticsearch.key -in /etc/pki/elasticsearch.crt -export -out /etc/pki/elasticsearch.p12 -nodes -passout pass:"
+    - onchanges:
+      - x509: /etc/pki/elasticsearch.key
+
+elastickeyperms:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/elasticsearch.key
+    - mode: 640
+    - group: 930
+    
+elasticp12perms:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/elasticsearch.p12
+    - mode: 640
+    - group: 930
+
+  {% endif %}
+
+
+{% endif %}
+
+{% if GLOBALS.is_manager or GLOBALS.role in ['so-sensor', 'so-searchnode', 'so-heavynode', 'so-fleet', 'so-idh', 'so-receiver'] %}
+   
+fbcertdir:
+  file.directory:
+    - name: /opt/so/conf/filebeat/etc/pki
+    - makedirs: True
+
+conf_filebeat_key:
+  x509.private_key_managed:
+    - name: /opt/so/conf/filebeat/etc/pki/filebeat.key
+    - keysize: 4096
+    - backup: True
+    - new: True
+    {% if salt['file.file_exists']('/opt/so/conf/filebeat/etc/pki/filebeat.key') -%}
+    - prereq:
+      - x509: conf_filebeat_crt
+    {%- endif %}
+    - retry:
+        attempts: 5
+        interval: 30
+
+# Request a cert and drop it where it needs to go to be distributed
+conf_filebeat_crt:
+  x509.certificate_managed:
+    - name: /opt/so/conf/filebeat/etc/pki/filebeat.crt
+    - ca_server: {{ ca_server }}
+    - signing_policy: filebeat
+    - private_key: /opt/so/conf/filebeat/etc/pki/filebeat.key
+    - CN: {{ GLOBALS.hostname }}
+    - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
+    - days_remaining: 0
+    - days_valid: 820
+    - backup: True
+    - timeout: 30
+    - retry:
+        attempts: 5
+        interval: 30
+
+# Convert the key to pkcs#8 so logstash will work correctly.
+filebeatpkcs:
+  cmd.run:
+    - name: "/usr/bin/openssl pkcs8 -in /opt/so/conf/filebeat/etc/pki/filebeat.key -topk8 -out /opt/so/conf/filebeat/etc/pki/filebeat.p8 -passout pass:"
+    - onchanges:
+      - x509: conf_filebeat_key
+
+filebeatkeyperms:
+  file.managed:
+    - replace: False
+    - name: /opt/so/conf/filebeat/etc/pki/filebeat.key
+    - mode: 640
+    - group: 939
+
+chownfilebeatp8:
+  file.managed:
+    - replace: False
+    - name: /opt/so/conf/filebeat/etc/pki/filebeat.p8
+    - mode: 640
+    - user: 931
+    - group: 939
+    
+{% endif %}
+
+{% if grains['role'] == 'so-searchnode' %}
+# Create a cert for elasticsearch
+/etc/pki/elasticsearch.key:
+  x509.private_key_managed:
+    - keysize: 4096
+    - backup: True
+    - new: True
+    {% if salt['file.file_exists']('/etc/pki/elasticsearch.key') -%}
+    - prereq:
+      - x509: /etc/pki/elasticsearch.crt
+    {%- endif %}
+    - retry:
+        attempts: 5
+        interval: 30
+
+/etc/pki/elasticsearch.crt:
+  x509.certificate_managed:
+    - ca_server: {{ ca_server }}
+    - signing_policy: registry
+    - private_key: /etc/pki/elasticsearch.key
+    - CN: {{ GLOBALS.hostname }}
+    - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
+    - days_remaining: 0
+    - days_valid: 820
+    - backup: True
+    - timeout: 30
+    - retry:
+        attempts: 5
+        interval: 30
+  cmd.run:
+    - name: "/usr/bin/openssl pkcs12 -inkey /etc/pki/elasticsearch.key -in /etc/pki/elasticsearch.crt -export -out /etc/pki/elasticsearch.p12 -nodes -passout pass:"
+    - onchanges:
+      - x509: /etc/pki/elasticsearch.key
+
+elasticp12perms:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/elasticsearch.p12
+    - mode: 640
+    - group: 930
+    
+elastickeyperms:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/elasticsearch.key
+    - mode: 640
+    - group: 930
+{%- endif %}
+
+{% if GLOBALS.role in ['so-manager', 'so-managerhype', 'so-managersearch', 'so-standalone'] %}
+elasticfleet_kafka_key:
+  x509.private_key_managed:
+    - name: /etc/pki/elasticfleet-kafka.key
+    - keysize: 4096
+    - backup: True
+    - new: True
+    {% if salt['file.file_exists']('/etc/pki/elasticfleet-kafka.key') -%}
+    - prereq:
+      - x509: elasticfleet_kafka_crt
+    {%- endif %}
+    - retry:
+        attempts: 5
+        interval: 30
+
+elasticfleet_kafka_crt:
+  x509.certificate_managed:
+    - name: /etc/pki/elasticfleet-kafka.crt
+    - ca_server: {{ ca_server }}
+    - signing_policy: kafka
+    - private_key: /etc/pki/elasticfleet-kafka.key
+    - CN: {{ GLOBALS.hostname }}
+    - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
+    - days_remaining: 0
+    - days_valid: 820
+    - backup: True
+    - timeout: 30
+    - retry:
+        attempts: 5
+        interval: 30
+
+elasticfleet_kafka_cert_perms:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/elasticfleet-kafka.crt
+    - mode: 640
+    - user: 947
+    - group: 939
+
+elasticfleet_kafka_key_perms:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/elasticfleet-kafka.key
+    - mode: 640
+    - user: 947
+    - group: 939
+{% endif %}
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}
--- a/salt/ssl/remove.sls
+++ b/salt/ssl/remove.sls
@@ -1,7 +1,10 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
+trusttheca:
+  file.absent:
+    - name: /etc/pki/tls/certs/intca.crt
+
+symlinkca:
+  file.absent:
+    - name: /etc/ssl/certs/intca.crt

 influxdb_key:
  file.absent:
@@ -11,14 +14,6 @@ influxdb_crt:
  file.absent:
    - name: /etc/pki/influxdb.crt

-telegraf_key:
-  file.absent:
-    - name: /etc/pki/telegraf.key
-
-telegraf_crt:
-  file.absent:
-    - name: /etc/pki/telegraf.crt
-
 redis_key:
  file.absent:
    - name: /etc/pki/redis.key
@@ -35,7 +30,6 @@ etc_filebeat_crt:
  file.absent:
    - name: /etc/pki/filebeat.crt

-# manager has symlink to /etc/pki/filebeat.crt and /etc/pki/filebeat.p8
 filebeatdir:
  file.absent:
    - name: /opt/so/saltstack/local/salt/filebeat/files
@@ -48,13 +42,11 @@ registry_crt:
  file.absent:
    - name: /etc/pki/registry.crt

-elasticsearch_key:
-  file.absent:
-    - name: /etc/pki/elasticsearch.key
+/etc/pki/elasticsearch.key:
+  file.absent: []

-elasticsearch_crt:
-  file.absent:
-    - name: /etc/pki/elasticsearch.crt
+/etc/pki/elasticsearch.crt:
+  file.absent: []

 remove_elasticsearch.p12:
  file.absent:
@@ -83,7 +75,6 @@ fbcertdir:
 kafka_crt:
  file.absent:
    - name: /etc/pki/kafka.crt
-
 kafka_key:
  file.absent:
    - name: /etc/pki/kafka.key
@@ -91,67 +82,9 @@ kafka_key:
 kafka_logstash_crt:
  file.absent:
    - name: /etc/pki/kafka-logstash.crt
-
 kafka_logstash_key:
  file.absent:
    - name: /etc/pki/kafka-logstash.key
-
 kafka_logstash_keystore:
  file.absent:
    - name: /etc/pki/kafka-logstash.p12
-
-elasticfleet_agent_crt:
-  file.absent:
-    - name: /etc/pki/elasticfleet-agent.crt
-
-elasticfleet_agent_key:
-  file.absent:
-    - name: /etc/pki/elasticfleet-agent.key
-
-elasticfleet_agent_p8:
-  file.absent:
-    - name: /etc/pki/elasticfleet-agent.p8
-
-elasticfleet_kafka_crt:
-  file.absent:
-    - name: /etc/pki/elasticfleet-kafka.crt
-
-elasticfleet_kafka_key:
-  file.absent:
-    - name: /etc/pki/elasticfleet-kafka.key
-
-elasticfleet_logstash_crt:
-  file.absent:
-    - name: /etc/pki/elasticfleet-logstash.crt
-
-elasticfleet_logstash_key:
-  file.absent:
-    - name: /etc/pki/elasticfleet-logstash.key
-
-elasticfleet_logstash_p8:
-  file.absent:
-    - name: /etc/pki/elasticfleet-logstash.p8
-
-elasticfleet_lumberjack_crt:
-  file.absent:
-    - name: /etc/pki/elasticfleet-lumberjack.crt
-
-elasticfleet_lumberjack_key:
-  file.absent:
-    - name: /etc/pki/elasticfleet-lumberjack.key
-
-elasticfleet_lumberjack_p8:
-  file.absent:
-    - name: /etc/pki/elasticfleet-lumberjack.p8
-
-elasticfleet_server_crt:
-  file.absent:
-    - name: /etc/pki/elasticfleet-server.crt
-
-elasticfleet_server_key:
-  file.absent:
-    - name: /etc/pki/elasticfleet-server.key
-
-filebeat_p8:
-  file.absent:
-    - name: /etc/pki/filebeat.p8
--- a/salt/telegraf/config.sls
+++ b/salt/telegraf/config.sls
@@ -8,6 +8,9 @@
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 {%   from 'telegraf/map.jinja' import TELEGRAFMERGED %}

+include:
+  - ssl
+
 # add Telegraf to monitor all the things
 tgraflogdir:
  file.directory:
--- a/salt/telegraf/enabled.sls
+++ b/salt/telegraf/enabled.sls
@@ -9,9 +9,8 @@
 {%   from 'docker/docker.map.jinja' import DOCKER %}
 {%   from 'telegraf/map.jinja' import TELEGRAFMERGED %}

+
 include:
-  - ca
-  - telegraf.ssl
  - telegraf.config
  - telegraf.sostatus

@@ -43,9 +42,13 @@ so-telegraf:
      - /proc:/host/proc:ro
      - /nsm:/host/nsm:ro
      - /etc:/host/etc:ro
+      {% if GLOBALS.role in ['so-manager', 'so-eval', 'so-managersearch' ] %}
+      - /etc/pki/ca.crt:/etc/telegraf/ca.crt:ro
+      {% else %}
      - /etc/pki/tls/certs/intca.crt:/etc/telegraf/ca.crt:ro
-      - /etc/pki/telegraf.crt:/etc/telegraf/telegraf.crt:ro
-      - /etc/pki/telegraf.key:/etc/telegraf/telegraf.key:ro
+      {% endif %}
+      - /etc/pki/influxdb.crt:/etc/telegraf/telegraf.crt:ro
+      - /etc/pki/influxdb.key:/etc/telegraf/telegraf.key:ro
      - /opt/so/conf/telegraf/scripts:/scripts:ro
      - /opt/so/log/stenographer:/var/log/stenographer:ro
      - /opt/so/log/suricata:/var/log/suricata:ro
@@ -68,20 +71,21 @@ so-telegraf:
      {% endfor %}
    {% endif %}
    - watch:
-      - file: trusttheca
-      - x509: telegraf_crt
-      - x509: telegraf_key
      - file: tgrafconf
      - file: node_config
    {% for script in TELEGRAFMERGED.scripts[GLOBALS.role.split('-')[1]] %}
      - file: tgraf_sync_script_{{script}}
    {% endfor %}
-    - require:
-      - file: trusttheca
-      - x509: telegraf_crt
-      - x509: telegraf_key
+    - require: 
      - file: tgrafconf
      - file: node_config
+      {% if GLOBALS.role in ['so-manager', 'so-eval', 'so-managersearch' ] %}
+      - x509: pki_public_ca_crt
+      {% else %}
+      - x509: trusttheca
+      {% endif %}
+      - x509: influxdb_crt
+      - x509: influxdb_key

 delete_so-telegraf_so-status.disabled:
  file.uncomment:
--- a/salt/telegraf/ssl.sls
+++ b/salt/telegraf/ssl.sls
@@ -1,66 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{% from 'allowed_states.map.jinja' import allowed_states %}
-{% if sls.split('.')[0] in allowed_states %}
-{%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'ca/map.jinja' import CA %}
-
-telegraf_key:
-  x509.private_key_managed:
-    - name: /etc/pki/telegraf.key
-    - keysize: 4096
-    - backup: True
-    - new: True
-    {% if salt['file.file_exists']('/etc/pki/telegraf.key') -%}
-    - prereq:
-      - x509: /etc/pki/telegraf.crt
-    {%- endif %}
-    - retry:
-        attempts: 5
-        interval: 30
-
-# Create a cert for the talking to telegraf
-telegraf_crt:
-  x509.certificate_managed:
-    - name: /etc/pki/telegraf.crt
-    - ca_server: {{ CA.server }}
-    - signing_policy: general
-    - private_key: /etc/pki/telegraf.key
-    - CN: {{ GLOBALS.hostname }}
-    - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} 
-    - days_remaining: 7
-    - days_valid: 820
-    - backup: True
-    - timeout: 30
-    - retry:
-        attempts: 5
-        interval: 30
-
-telegraf_key_perms:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/telegraf.key
-    - mode: 640
-    - group: 939
-
-{%   if not GLOBALS.is_manager %}
-{# Prior to 2.4.220, minions used influxdb.crt and key for telegraf #}
-remove_influxdb.crt:
-  file.absent:
-    - name: /etc/pki/influxdb.crt
-
-remove_influxdb.key:
-  file.absent:
-    - name: /etc/pki/influxdb.key
-{%   endif %}
-
-{% else %}
-
-{{sls}}_state_not_allowed:
-  test.fail_without_changes:
-    - name: {{sls}}_state_not_allowed
-
-{% endif %}
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -37,7 +37,6 @@ base:
  'not ( *_manager* or *_eval or *_import or *_standalone ) and G@saltversion:{{saltversion}}':
    - match: compound
    - salt.minion
-    - ca
    - patch.os.schedule
    - motd
    - salt.minion-check
@@ -50,7 +49,6 @@ base:
  '( *_manager* or *_eval or *_import or *_standalone ) and G@saltversion:{{saltversion}} and not I@node_data:False':
    - match: compound
    - salt.minion
-    - ca
    - patch.os.schedule
    - motd
    - salt.minion-check
@@ -63,6 +61,8 @@ base:
    - match: compound
    - salt.master
    - sensor
+    - ca
+    - ssl
    - registry
    - manager
    - backup.config_backup
@@ -91,6 +91,8 @@ base:
    - match: compound
    - salt.master
    - sensor
+    - ca
+    - ssl
    - registry
    - manager
    - backup.config_backup
@@ -122,6 +124,8 @@ base:
  '*_manager or *_managerhype and G@saltversion:{{saltversion}} and not I@node_data:False':
    - match: compound
    - salt.master
+    - ca
+    - ssl
    - registry
    - nginx
    - influxdb
@@ -153,6 +157,8 @@ base:
  '*_managersearch and G@saltversion:{{saltversion}} and not I@node_data:False':
    - match: compound
    - salt.master
+    - ca
+    - ssl
    - registry
    - nginx
    - influxdb
@@ -181,6 +187,8 @@ base:
    - match: compound
    - salt.master
    - sensor
+    - ca
+    - ssl
    - registry
    - manager
    - nginx
@@ -204,6 +212,7 @@ base:
  '*_searchnode and G@saltversion:{{saltversion}}':
    - match: compound
    - firewall
+    - ssl
    - elasticsearch
    - logstash
    - sensoroni
@@ -216,6 +225,7 @@ base:
  '*_sensor and G@saltversion:{{saltversion}}':
    - match: compound
    - sensor
+    - ssl
    - sensoroni
    - telegraf
    - firewall
@@ -231,6 +241,7 @@ base:
  '*_heavynode and G@saltversion:{{saltversion}}':
    - match: compound
    - sensor
+    - ssl
    - sensoroni
    - telegraf
    - nginx
@@ -248,6 +259,7 @@ base:

  '*_receiver and G@saltversion:{{saltversion}}':
    - match: compound
+    - ssl
    - sensoroni
    - telegraf
    - firewall
@@ -259,6 +271,7 @@ base:

  '*_idh and G@saltversion:{{saltversion}}':
    - match: compound
+    - ssl
    - sensoroni
    - telegraf
    - firewall
@@ -267,6 +280,7 @@ base:

  '*_fleet and G@saltversion:{{saltversion}}':
    - match: compound
+    - ssl
    - sensoroni
    - telegraf
    - firewall
@@ -279,6 +293,7 @@ base:

  '*_hypervisor and I@features:vrt and G@saltversion:{{saltversion}}':
    - match: compound
+    - ssl
    - sensoroni
    - telegraf
    - firewall
@@ -289,6 +304,7 @@ base:
    - stig
  
  '*_desktop and G@saltversion:{{saltversion}}':
+    - ssl
    - sensoroni
    - telegraf
    - elasticfleet.install_agent_grid
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -1121,6 +1121,16 @@ generate_ca() {
 	logCmd "openssl x509 -in /etc/pki/ca.crt -noout -subject -issuer -dates"
 }

+generate_ssl() {
+	# if the install type is a manager then we need to wait for the minion to be ready before trying
+	# to run the ssl state since we need the minion to sign the certs
+	if [[ $waitforstate ]]; then
+		(wait_for_salt_minion "$MINION_ID" "5" '/dev/stdout' || fail_setup) 2>&1 | tee -a "$setup_log"
+	fi
+	info "Applying SSL state"
+	logCmd "salt-call state.apply ssl -l info"
+}
+
 generate_passwords(){
  title "Generate Random Passwords"
  INFLUXPASS=$(get_random_value)
@@ -1634,7 +1644,7 @@ reinstall_init() {

 	{
 		# remove all of root's cronjobs
-		crontab -r -u root
+		logCmd "crontab -r -u root"

 		if command -v salt-call &> /dev/null && grep -q "master:" /etc/salt/minion 2> /dev/null; then
 			# Disable schedule so highstate doesn't start running during the install
@@ -1644,7 +1654,8 @@ reinstall_init() {
 			salt-call -l info saltutil.kill_all_jobs --local
 		fi

-		salt-call state.apply ca.remove -linfo --local --file-root=../salt
+		logCmd "salt-call state.apply ca.remove -linfo --local --file-root=../salt"
+		logCmd "salt-call state.apply ssl.remove -linfo --local --file-root=../salt"

 		# Kill any salt processes (safely)
 		for service in "${salt_services[@]}"; do
@@ -1657,7 +1668,7 @@ reinstall_init() {
 			local count=0
 			while check_service_status "$service"; do
 				if [[ $count -gt $service_retry_count ]]; then
-					echo "Could not stop $service after 1 minute, exiting setup."
+					info "Could not stop $service after 1 minute, exiting setup."

 					# Stop the systemctl process trying to kill the service, show user a message, then exit setup
 					kill -9 $pid
@@ -1695,10 +1706,10 @@ reinstall_init() {
 		backup_dir /nsm/influxdb "$date_string"

 		# Uninstall local Elastic Agent, if installed
-		elastic-agent uninstall -f
+		logCmd "elastic-agent uninstall -f"

 		if [[ $is_deb ]]; then
-			echo "Unholding previously held packages."
+			info "Unholding previously held packages."
 			apt-mark unhold $(apt-mark showhold)
 		fi

--- a/setup/so-setup
+++ b/setup/so-setup
@@ -773,9 +773,12 @@ if ! [[ -f $install_opt_file ]]; then
 		# wait here until we get a response from the salt-master since it may have just restarted
 		# exit setup after 5-6 minutes of trying
 		check_salt_master_status || fail  "Can't access salt master or it is not ready"
-		# apply the ca state to create the ca and symlink to local/salt/ca/files/ca.crt
+		# apply the ca state to create the ca and put it in the mine early in the install
 		# the minion ip will already be in the mine from configure_minion function in so-functions
 		generate_ca
+		# this will also call the ssl state since docker requires the intca
+		# the salt-minion service will need to be up on the manager to sign requests
+		generate_ssl
 		logCmd "salt-call state.apply docker"
 		firewall_generate_templates
 		set_initial_firewall_policy