# Certificates

This module creates and signs Certificates using multiple backends, including letsencrypt.

## Parameters

All configuration is to be placed inside the `certificates` dict.

```
# configuration for all backends, see below for options for all backends
backends:
  letsencrypt: *letsencrypt-backend-config*
  selfsigned: *selfsigned-backend-config*

# default options for certificates
defaults:
  country: "SU"
  province: "CYBER"
  city: "Cyberspace"
  org: "Tyrell Corporation"
  mail: "example@example.com"
  ou: "cyber"
  cn: ~
  san: []

# name: certificate name, value: config for a certificate. See below for definition  
certs: *certificate-config*
```

**certificate-config:**
All settings here overwrite the default setting for a certificate.
```
# Country (string)
country: "SU"

# Province (string)
province: "CYBER"

# City (string)
city: "Cyberspace"

# Organisation (string)
org: "Tyrell Corporation"

# Mailaddress (string)
mail: "example@example.com"

# organizational unit name (string)
ou: "cyber"

# common name (string), will be set to first SAN if set to None
cn: ~

# subject alt names (list of strings)
san: []

# services to restart if this certificate changes
depending_services: []

# which backend to use, can be 'selfsigned' or 'letsencrypt'
backend: 'selfsigned'

# overwrite a backend setting for this certificate
backend_override: {}
```

### Backends
#### Letsencrypt

*letsencrypt-backend-config*

```
# days of validity left on a certificate bevore it is renewed
remainingdays: 28

# challange type to use, can be:
# 'dns-01': use the dns challange and a custom power dns backend
# 'dns-01-manual': use the dns challange and manualy set the dns record
# 'http-01: use the http challange and deploy the challanges to a webserver
challange: dns-01

# servers to deploy a challange to
challangeserver: []
```

#### Selfsigned

```
# how long should the certificate be valid?
not_after: "+3650d"
```

## Paths

Certificates are stored at a defined location:

* key: `/etc/ssl/private/<cetname>.key`
* certificate: `/etc/ssl/<certname>.crt`
* CSR: `/etc/ssl/<certname>.csr`
* chain: `/etc/ssl/<certname>.chain.crt`
* key, certificate and chain combined: `/etc/ssl/private/<certname>.complete.pem`