cd_tls | Release Notes


OpenSSL provides all required mechanisms to create TLS private keys, self-signed certificates and certificate requests (.csr) ) to be signed by a root certyificate authority (CA).

cd_tls allows to automate the process of configuring root- and intermediate CAs for TLS and root CAs for GNUTLS. It also automates the process of creating and signing keys, certificate signing requests and certificates. Additionally it allows to automate the process of securely transferring keys and certs to the target hosts.

While it is possible to work entirely off a root CA, it is assumed that intermediate CAs are used, as additional security feature to allow revoking certificates for compromised intermediate CAs.


**__!!! Attention: Never use this puppet module on systems which have been previously configured manually. It is impossible to predict how and what would have been configured, hence previuos confugurations outside the scope of this module may be overwritten! Automated configurations require a test environment to verify that the module suits the purpose intended by the user, as well as tune the parameters, before deploying into live production!!! __**



  • Installation:
    • install required binaries
  • Configuration:
    • root CA (mandatory):
    • strict openssl.conf for root CA
    • directory structure for processing keys and certs
    • intermediate CA (optional, recommended)
    • relaxed openssl.conf for intermediate CA
    • directory structure for processing keys and certs
    • mechanism for securely transferring keys and certs to target hosts.
    • GnuTLS CA ( i.e. for encrypting rsyslog traffic)
  • Processing
    • create keys, CSRs and certs
    • transfer keys and certs to the required hosts (optional)
    • manage CRLs (ToDo)

Repo Structure

Repostruture has been moved to



  • native Puppet deployment: via site.pp or nodes.pp
include cd_tls
  • through Foreman: In order to apply parameters through Foreman, cd_tls::params must be added to the host or hostgroup in question.


The following parameters are required and should be applied through ENC (recommended):

  • $pkg_ensure : Value for the package installation. Defaults to latest. See valid options.
  • $tls_root_ca : FQDN for the root ca. if client fqdn matches, a root ca will be installed. defaults to root_ca.${::domainname}.
  • $tls_use_int_ca : Whether or not to use an intermediate ca in addition to the root ca (recommended). Valid options true and false. Defaults to true.
  • $tls_int_ca : FQDN for the intermediate ca. requires $tls_use_int_ca= true. if client fqdn matches, an intermediate ca will be installed. Defaults to "intermed_ca.${::domainname}"

For a full list of parameters please visit the parameter documentation online

Intermediate Certificates

The concept of using intermediate CAs in addition to root CAs is to add a layer of security, i.e. to allow revoking compromised intermediate CAs. For extra security, teh root CA should be *__offline-- at all times except when signing a csr foran intermediate CA.

This module creates the intermediate key + certificate + ca-chain file on the root ca, but assumes that the transfer to the intermediate ca is done manually, i.e. through copy and paste, scp, rsync etc.


All files and directories are configured with correct selinux context. If selinux is disabled, these contexts are ignored.

Known Problems


  • OS: CentOS 6, 7
  • Puppet: 3.x


  • add mechanism for CRL processing


  • Puppet Lint
    • excluded tests:
    • --no-class_inherits_from_params_class-check:relavant only to non-supported outdated puppet versions
    • --no-variable_scope-check: not applicable as we are inheriting parameters from params class. the lint check does not distinguish between facts and inherited parameters.
    • --no-80chars-check: it is not always possible to stay within 80 characters, although typically only occurring on the parameter vault params.pp.
    • --no-arrow_alignment-check: this check leads to actually not having am easily readable arrow alignment, as this checks per block, not per class.
  • Puppet Parser
  • ERB Template Parser

Contact Us

contact Us


ConfDroid as entity is entirely independent from Puppet. We provide custom configuration modules, written for specific purposes and specific environments. The modules are tested and supported only as documented, and require testing in designated environments (i.e. lab or development environments) for parameter tuning etc. before deploying into production environments.


Leave a Reply