Certificates

This module creates and signs Certificates using multiple backends, including letsencrypt.

Parameters

All configuration is to be placed inside the certificates dict.

# configuration for all backends, see below for options for all backends
backends:
  letsencrypt: *letsencrypt-backend-config*
  selfsigned: *selfsigned-backend-config*

# default options for certificates
defaults:
  country: "SU"
  province: "CYBER"
  city: "Cyberspace"
  org: "Tyrell Corporation"
  mail: "example@example.com"
  ou: "cyber"
  cn: ~
  san: []

# name: certificate name, value: config for a certificate. See below for definition  
certs: *certificate-config*

certificate-config: All settings here overwrite the default setting for a certificate.

# Country (string)
country: "SU"

# Province (string)
province: "CYBER"

# City (string)
city: "Cyberspace"

# Organisation (string)
org: "Tyrell Corporation"

# Mailaddress (string)
mail: "example@example.com"

# organizational unit name (string)
ou: "cyber"

# common name (string), will be set to first SAN if set to None
cn: ~

# subject alt names (list of strings)
san: []

# services to restart if this certificate changes
depending_services: []

Backends

Letsencrypt

letsencrypt-backend-config

# days of validity left on a certificate bevore it is renewed
remainingdays: 28

# challange type to use, can be:
# 'dns-01': use the dns challange and a custom power dns backend
# 'dns-01-manual': use the dns challange and manualy set the dns record
# 'http-01: use the http challange and deploy the challanges to a webserver
challange: dns-01

# servers to deploy a challange to
challangeserver: []

Selfsigned

Paths

Certificates are stored at a defined location:

• key: /etc/ssl/private/<cetname>.key
• certificate: /etc/ssl/<certname>.crt
• CSR: /etc/ssl/<certname>.csr
• chain: /etc/ssl/<certname>.chain.crt
• key, certificate and chain combined: /etc/ssl/private/<certname>.complete.pem