96 lines
2.1 KiB
Markdown
96 lines
2.1 KiB
Markdown
# Certificates
|
|
|
|
This module creates and signs Certificates using multiple backends, including letsencrypt.
|
|
|
|
## Parameters
|
|
|
|
All configuration is to be placed inside the `certificates` dict.
|
|
|
|
```
|
|
# configuration for all backends, see below for options for all backends
|
|
backends:
|
|
letsencrypt: *letsencrypt-backend-config*
|
|
selfsigned: *selfsigned-backend-config*
|
|
|
|
# default options for certificates
|
|
defaults:
|
|
country: "SU"
|
|
province: "CYBER"
|
|
city: "Cyberspace"
|
|
org: "Tyrell Corporation"
|
|
mail: "example@example.com"
|
|
ou: "cyber"
|
|
cn: ~
|
|
san: []
|
|
|
|
# name: certificate name, value: config for a certificate. See below for definition
|
|
certs: *certificate-config*
|
|
```
|
|
|
|
**certificate-config:**
|
|
All settings here overwrite the default setting for a certificate.
|
|
```
|
|
# Country (string)
|
|
country: "SU"
|
|
|
|
# Province (string)
|
|
province: "CYBER"
|
|
|
|
# City (string)
|
|
city: "Cyberspace"
|
|
|
|
# Organisation (string)
|
|
org: "Tyrell Corporation"
|
|
|
|
# Mailaddress (string)
|
|
mail: "example@example.com"
|
|
|
|
# organizational unit name (string)
|
|
ou: "cyber"
|
|
|
|
# common name (string), will be set to first SAN if set to None
|
|
cn: ~
|
|
|
|
# subject alt names (list of strings)
|
|
san: []
|
|
|
|
# services to restart if this certificate changes
|
|
depending_services: []
|
|
|
|
# which backend to use, can be 'selfsigned' or 'letsencrypt'
|
|
backend: 'selfsigned'
|
|
|
|
# overwrite a backend setting for this certificate
|
|
backend_override: {}
|
|
```
|
|
|
|
### Backends
|
|
#### Letsencrypt
|
|
|
|
*letsencrypt-backend-config*
|
|
|
|
```
|
|
# days of validity left on a certificate bevore it is renewed
|
|
remainingdays: 28
|
|
|
|
# challange type to use, can be:
|
|
# 'dns-01': use the dns challange and a custom power dns backend
|
|
# 'dns-01-manual': use the dns challange and manualy set the dns record
|
|
# 'http-01: use the http challange and deploy the challanges to a webserver
|
|
challange: dns-01
|
|
|
|
# servers to deploy a challange to
|
|
challangeserver: []
|
|
```
|
|
|
|
#### Selfsigned
|
|
|
|
## Paths
|
|
|
|
Certificates are stored at a defined location:
|
|
|
|
* key: `/etc/ssl/private/<cetname>.key`
|
|
* certificate: `/etc/ssl/<certname>.crt`
|
|
* CSR: `/etc/ssl/<certname>.csr`
|
|
* chain: `/etc/ssl/<certname>.chain.crt`
|
|
* key, certificate and chain combined: `/etc/ssl/private/<certname>.complete.pem`
|