X509 Improvements. Expose setting permissions, encrypted private keys, and combined key and cert management in one state #38664

merged 10 commits into from Jan 17, 2017


None yet

2 participants

clinta commented Jan 10, 2017 edited

X509 permissions, private key encryption and unified cert/key management

What issues does this PR fix or reference?


Previous Behavior

The x509 module handled writing files on it's own, which requried users who want to set custom permissions to add an additional file.managed state to the file.

Private keys and certificates were only exposed as two separate states, so to manage a certificate with a rotating private key a complicated series of requisites was required.

There was no functionality to generate passphrase encrypted private keys.

New Behavior

The x509 state now takes advantage of cross calling the file.managed states and pass along arguments that would be useful to that state. This allows setting mode, user, and group right in the x509 state.

There is a new managed_private_key option in the certificate.managed state which allows managing a private key and cert together, even in the same file if desired. Additionally there is a new append_certs option which allows appending intermediate certificates to a managed certificate.

A new passphrase option is exposed for generating and managing encrypted private keys.

Tests written?


clinta added some commits Jan 9, 2017
@clinta clinta cross call file.managed to get permissions options
@clinta clinta combine private key and cert management d0ad251
@clinta clinta preserve detailed change reports a4d6598
@clinta clinta add passphrase to execution module e47a93d
@clinta clinta expose passphrase functionality to state 9a0abde
@clinta clinta change documentation c861324
@clinta clinta pep8
@clinta clinta bug fixes

Go Go Jenkins!

return ret
def certificate_managed(name,
- backup=False,
+ managed_private_key=None,
+ append_certs=[],
cachedout Jan 15, 2017 Contributor

We can't have a mutable type as a default argument. Could we change this to None and them modify it inside the function if necessary?

@@ -163,6 +160,7 @@
import os
import re
import copy
+import inspect
cachedout Jan 15, 2017 Contributor

This is unused and should be removed.

clinta added some commits Jan 16, 2017
@clinta clinta No mutable default args, remove unneeded import
@clinta clinta pep8
@cachedout cachedout merged commit 6663107 into saltstack:2016.11 Jan 17, 2017

6 checks passed

default Pull Requests » Salt PR - Main Build #92
jenkins/PR/salt-pr-clone Pull Requests » Salt PR - Clone #8006 — SUCCESS
jenkins/PR/salt-pr-docs-n Pull Requests » salt-pr-docs-n #3297 — SUCCESS
jenkins/PR/salt-pr-linode-ubuntu14-n Pull Requests » Salt Linode Ubuntu14.04 #7672 — SUCCESS
jenkins/PR/salt-pr-lint-n Pull Requests » Salt PR - Code Lint #7823 — SUCCESS
jenkins/PR/salt-pr-rs-cent7-n Pull Requests » Salt PR - RS CentOS 7 #7970 — SUCCESS
@clinta clinta deleted the clinta:x509-passphrase2 branch Jan 17, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment