cd_tls | Parameters

Main Parameters:

  • pkg_ensure (string) (defaults to: 'latest')

    Specify which package type to use.

  • tls_root_ca (string) (defaults to: "root_ca.${::domainname}")

    FQDN of the root ca. Must not be a CNAME.

  • tls_use_int_ca (boolean) (defaults to: true)

    Whether or not to use an intermediate CA. recommended

  • tls_int_ca (string) (defaults to: "intermed_ca.${::domainname}")

    FQDN of the intermediate CA. Must not be a CNAME. active only if tls_use_int_ca is set to true.

  • tls_enable_gnutls (boolean) (defaults to: false)

    Whether or not to manage gnutls.

  • tls_gnutls_ca (string) (defaults to: "gnutls_ca.${::domainname}")

    The FQDn of the gnutls CA. Must not be a CNAME.

  • tls_root_ca_dir (string) (defaults to: '/root/ca')

    The main working directory for the CA.

  • tls_seltype (string) (defaults to: 'admin_home_t')

    The SElinux type context for the main working directory. May have to be adjusted if you choose a different working path.

  • tls_seluser (string) (defaults to: 'unconfined_u')

    The SELINUX user context for the main working directory. May have to be adjusted if you choose a different working path.

  • tls_gnutls_ca_dir (string) (defaults to: '/root/gnutls')

    The main working area for the gnutls CA.

  • tls_use_revocation (boolean) (defaults to: true)

    Whether or not to use TLS revocation lists (crl). => ToDo.

  • tls_manage_transport (boolean) (defaults to: false)

    Whether or not to move created keys and certs automatically to the target hosts. recommended. Requires setting up an SSH key on the CA, and adding the public key to the authorised_keys file keys for a sudo user on the target host (out of scope for this module).

  • tls_revocation_type (string) (defaults to: 'crl')

    Specify the type of managing revocations. Valid options are crl and ocsp (lower letters required).

  • tls_crl_url (string) (defaults to: "https://crl.${::domain}")

    The URI for the certificate revocation list. only active if tls_revocation_type is set to crl.

  • tls_ocsp_url (string) (defaults to: "https://ocsp.${::domainname}")

    The URI for the ocsp location. only active if tls_revocation_type is set to ocsp.

  • tls_serial_start (string) (defaults to: '1000')

    The start number for the serial index. openssl is going to increment this number for every issued certificate.

  • tls_default_ca (string) (defaults to: 'CA_default')

    Template variable in openssl.conf

  • tls_root_crl_days (string) (defaults to: '30')

    Template variable in openssl.conf. The default value for issuing CRLs. This is going to be used to autonate the CRL issuing too. => ToDo

  • tls_root_md (string) (defaults to: 'sha256')

    Template variable for openssl.conf. Defines which md hashing mechanism is going to be used.

  • tls_root_string_mask (string) (defaults to: 'utf8only')

    Template variable for openssl.conf

  • tls_root_key_bits (string) (defaults to: '4096')

    Template variable for openssl.conf. defines the strengthof the CA key. Should always be 4096 or higher.

  • tls_root_key_days (string) (defaults to: '7300')

    Template variable for openssl.conf defines how long the coot CA certificate itself is valid.

  • tls_ca_subj_c (string) (defaults to: undef)

    Template variable for openssl.conf. defines the Country Name. must be 2 digits, i.e. US, IE.

  • tls_ca_subj_st (string) (defaults to: undef)

    Template variable for openssl.conf. defines the State or Provice Name, i.e. California, Leinster

  • tls_ca_subj_l (string) (defaults to: undef)

    Template variable for openssl.conf. defines the Locality Name, i.e. Mountain View, Dublin

  • tls_ca_subj_o (string) (defaults to: undef)

    Template variable for openssl.conf. defines the Organization Name, i.e. Example Ltd,

  • tls_ca_subj_ou (string) (defaults to: undef)

    Template variable for openssl.conf. defines the Organizational Unit Name, i.e. Example Ltd Certificate Authority,

  • tls_ca_subj_cn (string) (defaults to: undef)

    Template variable for openssl.conf. defines the Common Name for the root CA. i.e. root_ca.example.net

  • tls_intermed_subj_cn (string) (defaults to: undef)

    Template variable for openssl.conf. defines the Common Name for for the intermediate CA. must differ from tls_ca_subj_cn, used by the root CA for signing the intermediate CA. i.e. intermed_ca.example.net

  • tls_root_key_name (string) (defaults to: 'ca.key.pem')

    Naming convention for the root key.

  • tls_root_cert_name (string) (defaults to: 'ca.crt.pem')

    Naming convention for the root cert.

  • tls_root_crl_key (string) (defaults to: 'ca.crl.pem')

    Naming convention for the root crl.

  • tls_intermed_ca_days (string) (defaults to: '3650')

    Template variable for openssl.conf defines how long the certificate for the intermediate CA is valid.

  • tls_int_key_name (string) (defaults to: 'intermediate.key.pem')

    Naming convention for the intermediate CA key.

  • tls_int_csr_name (string) (defaults to: 'intermediate.csr.pem')

    Naming convention for the intermediate CA certificate signing requests (csr).

  • tls_int_cert_name (string) (defaults to: 'intermediate.crt.pem')

    Naming convention for the intermediate CA certificate.

  • tls_int_crl_key (string) (defaults to: 'intermediate.crl.pem')

    Naming convention for the intermediate CA certificate revocation list (crl).

  • tls_chain_crt_name (string) (defaults to: 'ca-chain.crt.pem')

    Naming convention for the ca certificate chain file.

  • tls_gnutls_dir (string) (defaults to: 'gnutls')

    The working directory for the GnuTLS CA.

  • tls_gnutls_ca_key (string) (defaults to: 'gnutls-ca-key.pem')

    Naming convention for the GnuTLS CA key.

  • tls_gnutls_ca_cert (string) (defaults to: 'gnutls-ca-cert.pem')

    Naming convention for teh GnuTLS CA cert.

  • tls_gnutls_subj_o (string) (defaults to: 'example.net')

    Template variable Organization Name for GnuTLS i.e. Example Ltd

  • tls_gnutls_subj_ou (string) (defaults to: 'example.dept')

    Template variable Organizational Unit Name for GnuTLS. i.e. Example Ltd GnuTLS certificate authority.

  • tls_gnutls_subj_l (string) (defaults to: 'example.locality')

    Template varioable, Locality Name for GnuTLs. i.e. Mountain View

  • tls_gnutls_subj_st (string) (defaults to: 'example.state')

    Template variable, State or Provice Name for GnuTLS i.e. California

  • tls_gnutls_subj_c (string) (defaults to: 'IE')

    Template variable Country Name for GnuTLS, i.e. US

  • tls_gnutls_subj_cn (string) (defaults to: 'example')

    Template variable Common Name for GnuTLS, should follow hostname, not FQDN. i.e. example.

  • tls_gnutls_uid (string) (defaults to: 'root')

    Template variable. UID for the certificate owner, i.e. root.

  • tls_gnutls_email (string) (defaults to: 'none@none.org')

    Template variable. email address in case a user is certified.

  • tls_gnutls_serial (string) (defaults to: '001')

    start serial number for CA pocessing

  • tls_gnutls_expiration (string) (defaults to: '7300')

    how long the GnuTLS CA will be valid.

  • tls_gnutls_sign_key (string) (defaults to: '# signing_key')

    Template variable. Whether or not the

  • tls_gnutls_enc_key (string) (defaults to: '# encryption_key')

    Template variable. Whether or not the key is used to encryot data. If starting with '#', key will be ignored

  • tls_gnutls_cert_key (string) (defaults to: 'cert_signing_key')

    Template variable. Whether or not the key is used to sign certificates. If starting with '#', key will be ignored

  • tls_gnutls_crl_key (string) (defaults to: 'crl_signing_key')

    Template variable. Whether or not the key is used to sign crls. If starting with '#', key will be ignored in template.

  • tls_gnutls_agreement (string) (defaults to: '# key_agreement')

    Template variable for key agreement flag. of RFC5280. usually not required. If starting with '#', key will be ignored in template.

  • tls_gnutls_encipher (string) (defaults to: '# data_encipherment')

    Template variable for dataEncipherment flag of RFC5280 If starting with '#', key will be ignored in template.

  • tls_gnutls_non_repud (string) (defaults to: '# non_repudiation')

    Template variable for the nonRepudiation flag of RFC5280. If starting with '#', key will be ignored in template.

  • tls_gnutls_crl_url (string) (defaults to: 'www.example.net/getcrl')

    Template variable for the CRL URI.

    Defined Parameters

    TLS Defines

    • tls_client_bits (string) (defaults to: '2048')

      Specify the strength of the key.

    • tls_client_days (string) (defaults to: '1095')

      Specify how long the client certificate should be valid.

    • tls_client_cn (string) (defaults to: $::fqdn)

      Specify the client Common Name.Derives from the fact for the host FQDN.

    • tls_client_subj_c (string) (defaults to: 'IE')

      Specify the client Country Name.

    • tls_client_subj_st (string) (defaults to: 'Leinster')

      Specify the client State or Province Name

    • tls_client_subj_l (string) (defaults to: 'Dublin')

      Specify the client Locality Name.

    • tls_client_subj_o (string) (defaults to: 'example ltd')

      Specify the client Organization Name.

    • tls_client_subj_ou (string) (defaults to: 'IT')

      Specify the client Organizational Unit Name.

    • tls_client_email (string) (defaults to: "root@${tls_client_cn}")

      Specify the relevant email address.

    • tls_extension (string) (defaults to: 'server_cert')

      Specidy the certificate extenstion, i.e. server_cert for host certificates or user_cert for user certificates.

    • tls_transfer_keys (boolean) (defaults to: undef)

      Whether or not to transfer processed keys and certs to target hosts. Does not apply to user certificates, Requires transport to be set up.

    • tls_transport_user (string) (defaults to: 'root')

      Specify the transport user holding a copy of the public transport_key* in the authorized_keys file. Only active if tls_transfer_keysis set to true.

    • tls_transport_key (string) (defaults to: 'transport')

      Specify the location and name of the private ssh key for the transport setup. Only active if tls_transfer_keys is set to true.

      GnuTLS Defines

      • tls_client_bits (string) (defaults to: '2048')

        Specify the strength of the client key

      • tls_client_days (string) (defaults to: '1095')

        Specify how long the certificate should be valid.

      • tls_client_subj_cn (string) (defaults to: $::fqdn)

        Specify the client Common Name.

      • tls_client_subj_c (string) (defaults to: 'IE')

        Specify the client County.

      • tls_client_subj_st (string) (defaults to: 'Leinster')

        Specify the client State or Provice.

      • tls_client_subj_l (string) (defaults to: 'Dublin')

        Specify the client Locality.

      • tls_client_subj_o (string) (defaults to: 'example ltd')

        Specify the client Organization.

      • tls_client_subj_ou (string) (defaults to: 'IT')

        Specify the client Organizational Unit.

      • tls_client_email (string) (defaults to: "root@${tls_client_cn}")

        Specify the relevant client email address.

      • tls_client_uid (string) (defaults to: 'root')

        Specify the uid (name) of the certificate owner, i.e. root.

      • tls_client_serial (string) (defaults to: undef)

        Specify the serial number for the certificate.

      • tls_client_sign_key (string) (defaults to: 'signing_key')

        Default usually suffices.

      • tls_client_enc_key (string) (defaults to: 'encryption_key')

        Default usually suffices.

      • tls_client_cert_key (string) (defaults to: '# cert_signing_key')

        Default usually suffices.

      • tls_client_crl_key (string) (defaults to: '# crl_signing_key')

        Default usually suffices.

      • tls_client_key_agree (string) (defaults to: '# key_agreement')

        Default usually suffices.

      • tls_client_dt_ciph (string) (defaults to: '# data_encipherment')

        Default usually suffices.

      • tls_client_non_rep (string) (defaults to: '# non_repudiation')

        Default usually suffices.

      • tls_client_tls (string) (defaults to: 'tls_www_client')

        Whether this certificate will be used for a TLS client. Default usually suffices.

      • tls_server_tls (string) (defaults to: 'tls_www_server')

        Whether this certificate will be used for a TLS server. Default usually suffices

      • tls_code_signing (string) (defaults to: '# code_signing_key')

        Default usually suffices.

      • tls_ocsp_signing (string) (defaults to: '# ocsp_signing_key')

        Defaultusually suffices.

      • tls_time_stamping (string) (defaults to: '# time_stamping_key')

        Default usually suffices

      • tls_email_protection (string) (defaults to: '# email_protection_key')

        Default usually suffices

      • tls_ipsec_ike_ops (string) (defaults to: '# tls_ipsec_ike_ops')

        Default usually suffices

      • tls_honor_requests (string) (defaults to: '# honor_crq_extensions')

        Default usually suffices

      • tls_path_lenghts (string) (defaults to: '# path_len = 2')

        Default usually suffices

      • tls_ocsp_uri (string) (defaults to: '# ocsp_uri = http://my.ocsp.server/ocsp')

        Specify a URI for presenting the CRL via OSCP.

      • tls_ca_issuer_uri (string) (defaults to: '# ca_issuers_uri = http://my.ca.issuer')

        Specify a URI for CA issuers.

      • tls_policy_url (string) (defaults to: '# policy1_url = http://www.example.com/policy')

        Specify a URL for policies,

      • tls_transfer_keys (boolean) (defaults to: false)

        Whether or not to automatically transfer keys and certs to target hosts. Requires proper setup of SSH keys.

      • tls_transport_user (string) (defaults to: 'root')

        Specify a sudo user holding a copy of the public transport key in the authorized_keys file. Only active if tls_transfer_keys is set to true.

      • tls_transport_key (string) (defaults to: 'transport')

        Specify the location and name of the private transport key to be used. only actve if tls_transfer_keys is set to true.

 

Leave a Reply