{"id":13781471,"url":"https://github.com/sous-chefs/certificate","last_synced_at":"2025-10-12T16:07:09.389Z","repository":{"id":3034942,"uuid":"4055426","full_name":"sous-chefs/certificate","owner":"sous-chefs","description":"Development repository for the certificate cookbook","archived":false,"fork":false,"pushed_at":"2025-09-19T15:52:40.000Z","size":212,"stargazers_count":73,"open_issues_count":4,"forks_count":43,"subscribers_count":21,"default_branch":"main","last_synced_at":"2025-10-02T15:07:17.670Z","etag":null,"topics":["certificate","chef","chef-cookbook","chef-resource","hacktoberfest","managed-by-terraform"],"latest_commit_sha":null,"homepage":"https://supermarket.chef.io/cookbooks/certificate","language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sous-chefs.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":null,"code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null},"funding":{"open_collective":"sous-chefs"}},"created_at":"2012-04-17T17:49:33.000Z","updated_at":"2025-09-19T15:52:14.000Z","dependencies_parsed_at":"2023-09-24T07:00:40.207Z","dependency_job_id":"e849d2ec-4343-4a2d-9b59-f9ce1e7c9522","html_url":"https://github.com/sous-chefs/certificate","commit_stats":{"total_commits":191,"total_committers":31,"mean_commits":6.161290322580645,"dds":0.5968586387434556,"last_synced_commit":"7ca06667e3991a4234f1f2d0126d4e82f058b758"},"previous_names":[],"tags_count":55,"template":false,"template_full_name":null,"purl":"pkg:github/sous-chefs/certificate","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sous-chefs%2Fcertificate","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sous-chefs%2Fcertificate/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sous-chefs%2Fcertificate/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sous-chefs%2Fcertificate/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sous-chefs","download_url":"https://codeload.github.com/sous-chefs/certificate/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sous-chefs%2Fcertificate/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":279011983,"owners_count":26085039,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-12T02:00:06.719Z","response_time":53,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["certificate","chef","chef-cookbook","chef-resource","hacktoberfest","managed-by-terraform"],"created_at":"2024-08-03T18:01:26.312Z","updated_at":"2025-10-12T16:07:09.358Z","avatar_url":"https://github.com/sous-chefs.png","language":"Ruby","funding_links":["https://opencollective.com/sous-chefs"],"categories":["Resources"],"sub_categories":["Security"],"readme":"# Certificate cookbook\n\n[![Cookbook Version](https://img.shields.io/cookbook/v/rsync.svg)](https://supermarket.chef.io/cookbooks/certificate)\n[![CI State](https://github.com/sous-chefs/rsync/workflows/ci/badge.svg)](https://github.com/sous-chefs/certificate/actions?query=workflow%3Aci)\n[![OpenCollective](https://opencollective.com/sous-chefs/backers/badge.svg)](#backers)\n[![OpenCollective](https://opencollective.com/sous-chefs/sponsors/badge.svg)](#sponsors)\n[![License](https://img.shields.io/badge/License-Apache%202.0-green.svg)](https://opensource.org/licenses/Apache-2.0)\n\n## Description\n\nThis recipe automates the common task of managing x509 certificates and keys from encrypted Data Bags. This cookbook\nprovides a flexible and reusable resource to set up certificates from various sources.\n\n### Warning about Vault mode\n\nPulling data from Chef Vault is not supported when using `chef-solo`, and will result in a failure condition.\n\n### Testing with encrypted data_bags\n\nThe stub files in `test/integration` are for testing only and should not be used in production. These files include a\nself-signed \"snake oil\" certificate/key and an `encrypted_data_bag_secret` file which are not secure to use beyond\ntesting.\n\n## Requirements\n\n### Prepping certificate data\n\nThe certificate strings in the data bag need all newlines replaced with literal `\\n`s. This conversion can be done with\na Ruby one-liner:\n\n```console\nruby -e 'p ARGF.read' \u003cfilename\u003e\n```\n\nThis will turn the input file from the normal certificate format:\n\n```text\n-----BEGIN CERTIFICATE-----\nMIIEEDCCA3mgAwIBAgIJAO4rOcmpIFmPMA0GCSqGSIb3DQEBBQUAMIG3MQswCQYD\n-----END CERTIFICATE-----\n```\n\nInto this:\n\n```text\n-----BEGIN CERTIFICATE-----\\nMIIEEDCCA3mgAwIBAgIJAO4rOcmpIFmPMA0GCSqGSIb3DQEBBQUAMIG3MQswCQYD\\n-----END CERTIFICATE-----\n```\n\nAdd the converted certificate / chain / key to the desired databag, attributes, or Chef Vault store:\n\n```json\n{\n  \"id\": \"example\",\n  \"cert\": \"-----BEGIN CERTIFICATE-----\\nCertificate Here...\",\n  \"key\": \"-----BEGIN PRIVATE KEY\\nPrivate Key Here...\",\n  \"chain\": \"-----BEGIN CERTIFICATE-----\\nCA Root Chain Here...\"\n}\n```\n\nThe `chain` entry may be optional if the CA's root chain is already trusted by the server.\n\n## Recipes\n\nThis cookbook comes with three simple example recipes for using the *certificate_manage* LWRP.\n\n### `certificate::default`\n\nCreates certificates from the data bag item `certificates/$HOSTNAME`.\n\n### `certificate::wildcard`\n\nSame as the default recipe, except for the data bag item name is `wildcard` instead of the node hostname.\n\nThe resulting files will be named wildcard.pem (cert), wildcard.key (key), and wildcard-bundle.crt (CA Root chain)\n\n### `certificate::manage_by_attributes`\n\nDefines `certificate_manage` resources dynamically from node attributes.\n\n\u003c!-- use raw html table for multi line code blocks --\u003e\n\u003c!-- markdownlint-disable no-inline-html --\u003e\n\u003ctable\u003e\n\u003ctr\u003e\n\u003ctd\u003e Attributes \u003c/td\u003e \u003ctd\u003e Equivalent resources \u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\n\n```ruby\nnode['certificate'] = [\n  {\n    'foo' =\u003e {\n      data_bag_type: 'none',\n      plaintext_cert: 'plain_cert',\n      plaintext_key: 'plain_key',\n      plaintext_chain: 'plain_chain',\n    }\n  },\n  {'test' =\u003e {}},\n]\n```\n\n\u003c/td\u003e\n\u003ctd\u003e\n\n```ruby\ncertificate_manage 'foo' do\n  data_bag_type 'none'\n  plaintext_cert 'plain_cert'\n  plaintext_key 'plain_key'\n  plaintext_chain 'plain_chain'\nend\n\ncertificate_manage 'test'\n```\n\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/table\u003e\n\u003c!-- markdownlint-enable no-inline-html --\u003e\n\n## Resources\n\n### `certificate_manage`\n\nSets up certificates from data bags or Chef Vault stores.\n\n| Property            | Default                                     | Description                                                                                                                           |\n|---------------------|---------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------|\n| `data_bag`          | `certificate`                               | Name of the data bag to look in                                                                                                       |\n| `data_bag_secret`   | `Chef::Config['encrypted_data_bag_secret']` | Path to the file with the data bag secret                                                                                             |\n| `data_bag_type`     | `encrypted`                                 | Where to get certificate data from: `encrypted` or `unencrypted` data bag, `vault` for Chef Vault, or `none` for plaintext properties |\n| `search_id`         | Resource name                               | Name of the data bag item to use                                                                                                      |\n| `plaintext_cert`    |                                             | Manual cert input for `none` data bag type                                                                                            |\n| `plaintext_key`     |                                             | Manual key input for `none` data bag type                                                                                             |\n| `plaintext_chain`   |                                             | Manual chain input for `none` data bag type                                                                                           |\n| `cert_path`         | `/etc/pki/tls` on RHEL, else `/etc/ssl`     | Directory to place certificates in                                                                                                    |\n| `create_subfolders` | `true`                                      | Whether to use `private/` and `certs/` subdirectories under `cert_path`                                                               |\n| `cert_file`         | `$FQDN.pem`                                 | Basename of the certificate                                                                                                           |\n| `key_file`          | `$FQDN.key`                                 | Basename of the private key                                                                                                           |\n| `chain_file`        | `$HOSTNAME-bundle.pem`                      | Basename of the chain certificate                                                                                                     |\n| `nginx_cert`        | `false`                                     | Whether to create a combined cert/chain certificate for use with Nginx instead of separate certs                                      |\n| `combined_file`     | `false`                                     | Whether to combine the cert, chain, and key into a single file                                                                        |\n| `owner`             | `root`                                      | File owner of the certificates                                                                                                        |\n| `group`             | `root`                                      | File group of the certificates                                                                                                        |\n| `cookbook`          | `certificate`                               | Cookbook containing the certificate file template.                                                                                    |\n\n### Example\n\nThe following example will place certificates defined in the `certificates/mail` data bag item under `/etc/postfix/ssl`\nowned by postfix.\n\n```ruby\ncertificate_manage \"mail\" do\n  cert_path \"/etc/postfix/ssl\"\n  owner \"postfix\"\n  group \"postfix\"\nend\n```\n\n### .certificate, .key, .chain helper method usage\n\nSome helper methods are exposed for retrieving key/certificate paths in other recipes:\n\n- `.certificate` - The final path of the certificate file. i.e. `#{cert_path}/certs/#{cert_file}`\n- `.key` - The final path of the key file. i.e. `#{cert_path}/private/#{key_file}`\n- `.chain` - The final path of the chain file. i.e. `#{cert_path}/certs/#{chain_file}`\n\n```rb\n# where node.fqdn = 'example.com'\ntld = certificate_manage 'top_level_domain'\ntld_cert_location = tld.certificate # =\u003e /etc/ssl/certs/example.com.pem\n\n# where node.fqdn = 'sub.example.com'\nsbd = certificate_manage 'sub_domain' do\n  cert_path '/bobs/emporium'\n  create_subfolders false\nend\nsbd_cert_location = sbd.key # =\u003e /bobs/emporium/sub.example.com.key\n```\n\n### Setting FQDN during the converge\n\nIf the FQDN of the node is updated during converge, be sure to use [lazy attribute\nevaluation](https://docs.chef.io/resource_common.html#lazy-attribute-evaluation) to ensure `node['fqdn']` refers to the\nupdated value.\n\n```ruby\ncertificate_manage \"wildcard\" do\n  cert_file lazy { \"#{node['fqdn']}.pem\" }\n  key_file lazy { \"#{node['fqdn']}.key\" }\n  chain_file lazy { \"#{node['fqdn']}-bundle.crt\" }\nend\n```\n\n### Using the `none` data bag type\n\nThe `none` option does not use a data bag, requiring the certificate, key, and/or chain to be passed directly to the\nresource. This allows you to use the `certificate_manage` resource for all of your certificate needs, even if the\ncertificate data is stored in an unsupported location.\n\n```ruby\ncertificate_manage \"fqdn-none-plaintext\" do\n  cert_file lazy { \"#{node['fqdn']}.pem\" }\n  key_file lazy { \"#{node['fqdn']}.key\" }\n  chain_file lazy { \"#{node['fqdn']}-bundle.crt\" }\n  data_bag_type 'none'\n  plaintext_cert \"-----BEGIN CERTIFICATE-----\\n...\\n-----END CERTIFICATE-----\\n\\n\"\n  plaintext_key \"-----BEGIN RSA PRIVATE KEY-----\\n...\\n-----END RSA PRIVATE KEY-----\\n\\n\",\n  plaintext_chain \"-----BEGIN CERTIFICATE-----\\n...\\n-----END CERTIFICATE-----\\n\\n\",\nend\n```\n\n## Contributors\n\nThis project exists thanks to all the people who [contribute.](https://opencollective.com/sous-chefs/contributors.svg?width=890\u0026button=false)\n\n### Backers\n\nThank you to all our backers!\n\n![https://opencollective.com/sous-chefs#backers](https://opencollective.com/sous-chefs/backers.svg?width=600\u0026avatarHeight=40)\n\n### Sponsors\n\nSupport this project by becoming a sponsor. Your logo will show up here with a link to your website.\n\n![https://opencollective.com/sous-chefs/sponsor/0/website](https://opencollective.com/sous-chefs/sponsor/0/avatar.svg?avatarHeight=100)\n![https://opencollective.com/sous-chefs/sponsor/1/website](https://opencollective.com/sous-chefs/sponsor/1/avatar.svg?avatarHeight=100)\n![https://opencollective.com/sous-chefs/sponsor/2/website](https://opencollective.com/sous-chefs/sponsor/2/avatar.svg?avatarHeight=100)\n![https://opencollective.com/sous-chefs/sponsor/3/website](https://opencollective.com/sous-chefs/sponsor/3/avatar.svg?avatarHeight=100)\n![https://opencollective.com/sous-chefs/sponsor/4/website](https://opencollective.com/sous-chefs/sponsor/4/avatar.svg?avatarHeight=100)\n![https://opencollective.com/sous-chefs/sponsor/5/website](https://opencollective.com/sous-chefs/sponsor/5/avatar.svg?avatarHeight=100)\n![https://opencollective.com/sous-chefs/sponsor/6/website](https://opencollective.com/sous-chefs/sponsor/6/avatar.svg?avatarHeight=100)\n![https://opencollective.com/sous-chefs/sponsor/7/website](https://opencollective.com/sous-chefs/sponsor/7/avatar.svg?avatarHeight=100)\n![https://opencollective.com/sous-chefs/sponsor/8/website](https://opencollective.com/sous-chefs/sponsor/8/avatar.svg?avatarHeight=100)\n![https://opencollective.com/sous-chefs/sponsor/9/website](https://opencollective.com/sous-chefs/sponsor/9/avatar.svg?avatarHeight=100)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsous-chefs%2Fcertificate","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsous-chefs%2Fcertificate","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsous-chefs%2Fcertificate/lists"}