{"id":15227833,"url":"https://github.com/voxpupuli/puppet-openssl","last_synced_at":"2025-05-16T01:07:04.575Z","repository":{"id":837746,"uuid":"559336","full_name":"voxpupuli/puppet-openssl","owner":"voxpupuli","description":"Puppet OpenSSL module","archived":false,"fork":false,"pushed_at":"2025-03-19T20:13:07.000Z","size":648,"stargazers_count":37,"open_issues_count":13,"forks_count":87,"subscribers_count":49,"default_branch":"master","last_synced_at":"2025-05-08T16:03:57.578Z","etag":null,"topics":["bsd-puppet-module","centos-puppet-module","debian-puppet-module","hacktoberfest","linux-puppet-module","openbsd-puppet-module","puppet","redhat-puppet-module","ubuntu-puppet-module"],"latest_commit_sha":null,"homepage":"","language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/voxpupuli.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":".github/CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"open_collective":"vox-pupuli","github":"voxpupuli"}},"created_at":"2010-03-12T15:00:59.000Z","updated_at":"2025-03-19T20:13:10.000Z","dependencies_parsed_at":"2023-02-19T15:31:42.353Z","dependency_job_id":"e1efd365-c44f-491b-b90d-c8b1defdf45e","html_url":"https://github.com/voxpupuli/puppet-openssl","commit_stats":{"total_commits":497,"total_committers":62,"mean_commits":8.016129032258064,"dds":0.635814889336016,"last_synced_commit":"9230d0b7f98f299b03bb759a65c257c7ab700465"},"previous_names":["camptocamp/puppet-openssl"],"tags_count":52,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/voxpupuli%2Fpuppet-openssl","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/voxpupuli%2Fpuppet-openssl/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/voxpupuli%2Fpuppet-openssl/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/voxpupuli%2Fpuppet-openssl/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/voxpupuli","download_url":"https://codeload.github.com/voxpupuli/puppet-openssl/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253317736,"owners_count":21889682,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bsd-puppet-module","centos-puppet-module","debian-puppet-module","hacktoberfest","linux-puppet-module","openbsd-puppet-module","puppet","redhat-puppet-module","ubuntu-puppet-module"],"created_at":"2024-09-28T23:06:18.691Z","updated_at":"2025-05-16T01:06:59.565Z","avatar_url":"https://github.com/voxpupuli.png","language":"Ruby","funding_links":["https://opencollective.com/vox-pupuli","https://github.com/sponsors/voxpupuli"],"categories":[],"sub_categories":[],"readme":"# OpenSSL Puppet Module\n\n[![Build Status](https://github.com/voxpupuli/puppet-openssl/workflows/CI/badge.svg)](https://github.com/voxpupuli/puppet-openssl/actions?query=workflow%3ACI)\n[![Release](https://github.com/voxpupuli/puppet-openssl/actions/workflows/release.yml/badge.svg)](https://github.com/voxpupuli/puppet-openssl/actions/workflows/release.yml)\n[![Puppet Forge](https://img.shields.io/puppetforge/v/puppet/openssl.svg)](https://forge.puppetlabs.com/puppet/openssl)\n[![Puppet Forge - downloads](https://img.shields.io/puppetforge/dt/puppet/openssl.svg)](https://forge.puppetlabs.com/puppet/openssl)\n[![Puppet Forge - endorsement](https://img.shields.io/puppetforge/e/puppet/openssl.svg)](https://forge.puppetlabs.com/puppet/openssl)\n[![Puppet Forge - scores](https://img.shields.io/puppetforge/f/puppet/openssl.svg)](https://forge.puppetlabs.com/puppet/openssl)\n[![puppetmodule.info docs](http://www.puppetmodule.info/images/badge.png)](http://www.puppetmodule.info/m/puppet-openssl)\n[![AGPL v3 License](https://img.shields.io/github/license/voxpupuli/puppet-openssl.svg)](LICENSE)\n[![Donated by Camptocamp](https://img.shields.io/badge/donated%20by-camptocamp-fb7047.svg)](#transfer-notice)\n\n**This module enables Puppet to manage PKI entities such as encryption keys, signing requests and X.509 certificates.**\n\n## Setup\n\nInclude this module in a manifest:\n\n```puppet\ncontain openssl\n```\n\nBy default, this will ensure OpenSSL and ca-certificates are installed.\n\nChange the defaults to pin specific versions of the packages or keep them up to date:\n\n```puppet\nclass { 'openssl':\n  package_ensure         =\u003e latest,\n  ca_certificates_ensure =\u003e latest,\n}\n```\n\n## Usage\n\n### Create X.509 certificates\n\nOne of the most common use-cases is to generate a private key, a certificate signing request and issue a certificate. This can be done using the [openssl::certificate::x509](REFERENCE.md#opensslcertificatex509) defined type, e.g.:\n\n```puppet\nopenssl::certificate::x509 { 'hostcert':\n  commonname =\u003e $facts['networking']['fqdn'],\n}\n```\n\nThis will create a series of resources, i.e. the private key in `/etc/ssl/certs/hostcert.key`, the certificate signing request in `/etc/ssl/certs/hostcert.csr` for the subject `DN: CN=\u003cfqdn\u003e` and the self-signed certificate stored in `/etc/ssl/certs/hostcert.crt`.\n\nNote that `openssl::certificate::x509` is a defined type that provides this abstract functionality by leveraging several other resources of the module, which are also available individually for more advanced use cases.\n\n### Create X.509 certificates from a hash\n\nInclude the [openssl::certificates](REFERENCE.md#opensslcertificates) class in a node's manifest and set the `certificates` parameter - possibly via Hiera - to a hash of certificate definitions:\n\n```puppet\ncontain openssl::certificates\n```\n\n```yaml\nopenssl::certificates:\n  hostcert:\n    commonname: \"%{facts['networking']['fqdn']}\"\n  othercert:\n    commonname: \"other.example.com\"\n    owner: www-data\n```\n\nThis will generate `openssl::certificate::x509` instances for each key in the hash.\n\n### Export a key pair to PKCS#12\n\nUse the [openssl::export::pkcs12](REFERENCE.md#opensslexportpkcs12) defined type to generate a PKCS#12 file:\n\n```puppet\nopenssl::export::pkcs12 { 'foo':\n  ensure   =\u003e 'present',\n  basedir  =\u003e '/path/to/dir',\n  pkey     =\u003e '/here/is/my/private.key',\n  cert     =\u003e '/there/is/the/cert.crt',\n  in_pass  =\u003e 'my_pkey_password',\n  out_pass =\u003e 'my_pkcs12_password',\n}\n```\n\n### Export certificate(s) to PEM/x509 format\n\nUse the [openssl::export::pem_cert](REFERENCE.md#opensslexportpem_cert) type to export PEM certificates from a pkcs12 container:\n\n```puppet\nopenssl::export::pem_cert { 'foo':\n  ensure   =\u003e 'present',\n  pfx_cert =\u003e '/here/is/my/certstore.pfx',\n  pem_cert =\u003e '/here/is/my/cert.pem',\n  in_pass  =\u003e 'my_pkcs12_password',\n}\n```\n\nThis definition exports PEM certificates from a DER certificate:\n\n```puppet\nopenssl::export::pem_cert { 'foo':\n  ensure   =\u003e 'present',\n  der_cert =\u003e '/here/is/my/certstore.der',\n  pem_cert =\u003e '/here/is/my/cert.pem',\n}\n```\n\n### Export a key to PEM format\n\nUse [openssl::export::pem_key](REFERENCE.md#opensslexportpem_key) to export PEM key from a pkcs12 container:\n\n```puppet\nopenssl::export::pem_key { 'foo':\n  ensure   =\u003e 'present',\n  pfx_cert =\u003e '/here/is/my/certstore.pfx',\n  pem_key  =\u003e '/here/is/my/private.key',\n  in_pass  =\u003e 'my_pkcs12_password',\n  out_pass =\u003e 'my_pkey_password',\n}\n```\n\n### Dynamic refresh of exported files\n\nIf you want Puppet to refresh the PKCS#12, PEM/x509 or PEM key file in case the input files changed, set the dynamic mode on and list desired resources for subscription:\n\n```puppet\nopenssl::export::pkcs12 { 'bar':\n  ensure    =\u003e 'present',\n  basedir   =\u003e '/path/to/dir',\n  pkey      =\u003e '/here/is/my/private.key',\n  cert      =\u003e '/there/is/the/cert.crt',\n  dynamic   =\u003e true,\n  resources =\u003e File['/here/is/my/private.key','/there/is/the/cert.crt'],\n}\n```\n\n### Create Diffie-Hellman parameters\n\nThe [openssl::dhparam](REFERENCE.md#openssldhparam) defined type and its back-end resource type [dhparam](REFERENCE.md#dhparam) allow to generate Diffie-Hellman parameters.\n\nSimple usage of the Puppet type:\n\n```puppet\ndhparam { '/path/to/dhparam.pem': }\n```\n\nAdvanced options:\n\n```puppet\ndhparam { '/path/to/dhparam.pem':\n  size =\u003e 2048,\n}\n```\n\nOr alternatively, using the defined type:\n\n```puppet\nopenssl::dhparam { '/path/to/dhparam.pem': }\n```\n\nwhich is equivalent to:\n\n```puppet\nopenssl::dhparam { '/path/to/dhparam.pem':\n  ensure =\u003e 'present',\n  size   =\u003e 512,\n  owner  =\u003e 'root',\n  group  =\u003e 'root',\n  mode   =\u003e '0644',\n}\n```\n\nAdvanced usage:\n\n```puppet\nopenssl::dhparam { '/path/to/dhparam.pem':\n  ensure =\u003e 'present',\n  size   =\u003e 2048,\n  owner  =\u003e 'www-data',\n  group  =\u003e 'adm',\n  mode   =\u003e '0640',\n}\n```\n\n### Create a private key\n\nUsing the [ssl_pkey](REFERENCE.md#ssl_pkey) type allows to generate SSL private keys.\n\nNote, that the private key is not encrypted by default[^1].\n\n[^1]: In every case, not providing the password (or setting it to _undef_, which is the default) means that **the private key won't be encrypted** with any symmetric cipher so **it is protected by filesystem access mode only**.\n\nSimple usage:\n\n```puppet\nssl_pkey { '/path/to/private.key': }\n```\n\nAdvanced options:\n\n```puppet\nssl_pkey { '/path/to/private.key':\n  ensure   =\u003e 'present',\n  password =\u003e 'j(D$',\n}\n```\n\n### Create a certificate signing request\n\nThe [x509_request](REFERENCE.md#x509_request) type allows to generate SSL certificate signing requests from a private key. You need to deploy an OpenSSL configuration file containing a section for the request engine and reference it in `template`. You manage configuration files using the [openssl::config](REFERENCE.md#opensslconfig) defined type.\n\nSimple usage:\n\n```puppet\nx509_request { '/path/to/request.csr': }\n```\n\nAdvanced options:\n\n```puppet\nx509_request { '/path/to/request.csr':\n  ensure      =\u003e 'present',\n  password    =\u003e 'j(D$',\n  template    =\u003e '/other/path/to/template.cnf',\n  private_key =\u003e '/there/is/my/private.key',\n  force       =\u003e false,\n  subscribe   =\u003e '/other/path/to/template.cnf',\n}\n```\n\n### Create a certificate\n\nUsing the [x509_cert](REFERENCE.md#x509_cert) type allows to generate SSL certificates. The default provider to this type can create self-signed certificates or use a certification authority - also deployed on the same host - to sign the certificate signing request.\n\nSimple usage:\n\n```puppet\nx509_cert { '/path/to/certificate.crt': }\n```\n\nAdvanced options:\n\n```puppet\nx509_cert { '/path/to/certificate.crt':\n  ensure      =\u003e 'present',\n  password    =\u003e 'j(D$',\n  template    =\u003e '/other/path/to/template.cnf',\n  private_key =\u003e '/there/is/my/private.key',\n  days        =\u003e 4536,\n  force       =\u003e false,\n  subscribe   =\u003e '/other/path/to/template.cnf',\n}\n```\n\n### Get a certificate from a remote source\n\nThe [cert_file](REFERENCE.md#cert_file) type controls a file containing a serialized X.509 certificate. It accepts the source in either `PEM` or `DER` format and stores it in the desired serialization format to the file.\n\n```puppet\ncert_file { '/path/to/certs/cacert_root1.pem':\n  ensure =\u003e present,\n  source =\u003e 'http://www.cacert.org/certs/root_X0F.der',\n  format =\u003e pem,\n}\n```\n\nAttributes:\n\n* `path` (namevar): path to the file where the certificate should be stored\n* `ensure`: `present` or `absent`\n* `source`: the URL the certificate should be downloaded from\n* `format`: the storage format for the certificate file (`pem` or `der`)\n\n## Functions\n\n### Accessing the CA issuers URL from a certificate\n\nIf a certificate contains the authorityInfoAccess extension, the [openssl::cert_aia_caissuers](REFERENCE.md#opensslcert_aia_caissuers) function can be used to parse hte certificate for the authorityInfoAccess extension and return with the URL found as caIssuers, or nil if no URL or extension found. Invoking as deferred function, this can be used to download the issuer certificate:\n\n```puppet\n  file { '/ssl/certs/caissuer.crt':\n    ensure =\u003e file,\n    source =\u003e Deferred('openssl::cert_aia_caissuers', [\"/etc/ssl/certs/${facts['networking']['fqdn']}.crt\"]),\n  }\n```\n\n## Contributing\n\nPlease report bugs and feature request using [GitHub issue\ntracker](https://github.com/voxpupuli/puppet-openssl/issues).\n\nFor pull requests, it is very much appreciated to check your Puppet manifest\nwith [puppet-lint](https://github.com/puppetlabs/puppet-lint) to follow the recommended Puppet style guidelines from the\n[Puppet Labs style guide](http://docs.puppetlabs.com/guides/style_guide.html).\n\n## Transfer Notice\n\nThis plugin was originally authored by [Camptocamp](http://www.camptocamp.com).\nThe maintainer preferred that Puppet Community take ownership of the module for future improvement and maintenance.\nExisting pull requests and issues were transferred over, please fork and continue to contribute here instead of Camptocamp.\n\nPreviously: https://github.com/camptocamp/puppet-openssl\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvoxpupuli%2Fpuppet-openssl","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fvoxpupuli%2Fpuppet-openssl","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvoxpupuli%2Fpuppet-openssl/lists"}