mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2025-12-06 09:12:45 +01:00
67 lines
1.5 KiB
Plaintext
67 lines
1.5 KiB
Plaintext
{% set show_top = salt['state.show_top']() %}
|
|
{% set top_states = show_top.values() | join(', ') %}
|
|
|
|
{% if 'ca' in top_states %}
|
|
|
|
{% set manager = salt['grains.get']('master') %}
|
|
/etc/salt/minion.d/signing_policies.conf:
|
|
file.managed:
|
|
- source: salt://ca/files/signing_policies.conf
|
|
|
|
/etc/pki:
|
|
file.directory: []
|
|
|
|
/etc/pki/issued_certs:
|
|
file.directory: []
|
|
|
|
pki_private_key:
|
|
x509.private_key_managed:
|
|
- name: /etc/pki/ca.key
|
|
- bits: 4096
|
|
- passphrase:
|
|
- cipher: aes_256_cbc
|
|
- backup: True
|
|
{% if salt['file.file_exists']('/etc/pki/ca.key') -%}
|
|
- prereq:
|
|
- x509: /etc/pki/ca.crt
|
|
{%- endif %}
|
|
|
|
/etc/pki/ca.crt:
|
|
x509.certificate_managed:
|
|
- signing_private_key: /etc/pki/ca.key
|
|
- CN: {{ manager }}
|
|
- C: US
|
|
- ST: Utah
|
|
- L: Salt Lake City
|
|
- basicConstraints: "critical CA:true"
|
|
- keyUsage: "critical cRLSign, keyCertSign"
|
|
- extendedkeyUsage: "serverAuth, clientAuth"
|
|
- subjectKeyIdentifier: hash
|
|
- authorityKeyIdentifier: keyid,issuer:always
|
|
- days_valid: 3650
|
|
- days_remaining: 0
|
|
- backup: True
|
|
- replace: False
|
|
- require:
|
|
- file: /etc/pki
|
|
|
|
x509_pem_entries:
|
|
module.run:
|
|
- mine.send:
|
|
- name: x509.get_pem_entries
|
|
- glob_path: /etc/pki/ca.crt
|
|
|
|
cakeyperms:
|
|
file.managed:
|
|
- replace: False
|
|
- name: /etc/pki/ca.key
|
|
- mode: 640
|
|
- group: 939
|
|
|
|
{% else %}
|
|
|
|
ca_state_not_allowed:
|
|
test.fail_without_changes:
|
|
- name: ca_state_not_allowed
|
|
|
|
{% endif %} |