First, you need to configure the master
file. This is because
all module functions require either a configured api_key
(for Cloud) or
a ttp_user
with a tpp_password
and a base_url
(for Trust Platform).
For Venafi Cloud:
venafi:
api_key: abcdef01-2345-6789-abcd-ef0123456789
base_url: "https://cloud.venafi.example.com/" (optional)
If you don't have a Venafi Cloud account, you can sign up for one on the enrollment page.
For Venafi Platform:
venafi:
base_url: "https://tpp.example.com/"
tpp_user: admin
tpp_password: "Str0ngPa$$w0rd"
trust_bundle: "/opt/venafi/bundle.pem"
It is not common for the Venafi Platform's REST API (WebSDK) to be secured using a certificate issued by a publicly trusted CA, therefore establishing trust for that server certificate is a critical part of your configuration. Ideally this is done by obtaining the root CA certificate in the issuing chain in PEM format and copying that file to your Salt Master (e.g. /opt/venafi/bundle.pem). You then reference that file using the 'trust_bundle' parameter as shown above.
For the Venafi module to create keys and certificates it is necessary to enable external pillars. This is done by adding the following to the /etc/salt/master
file:
ext_pillar:
- venafi: True
This command is used to enroll a certificate from Venafi Cloud or Venafi Platform.
minion_id
dns_name
csr_path
is not specified.csr_path
dns_name
is not specified.zone
org_unit
org
loc
state
country
key_password
The syntax for requesting a new certificate with private key generation looks like this:
salt-run venafi.request minion.example.com dns_name=www.example.com \
country=US state=California loc=Sacramento org="Company Name" org_unit=DevOps \
zone=Internet key_password=SecretSauce
And the syntax for requesting a new certificate using a previously generated CSR looks like this:
salt-run venafi.request minion.example.com csr_path=/tmp/minion.req zone=Internet
This command is used to show last issued certificate for domain.
dns_name
salt-run venafi.show_cert www.example.com
This command lists domains that have been cached on this Salt Master.
salt-run venafi.list_domain_cache
This command deletes a domain from the Salt Master's cache.
domains
salt-run venafi.del_cached_domain www.example.com
To transfer a cached certificate to a minion, you can use Venafi pillar.
Example state (SLS) file:
/etc/ssl/cert/www.example.com.crt:
file.managed:
- contents_pillar: venafi:www.example.com:cert
- replace: True
/etc/ssl/cert/www.example.com.key:
file.managed:
- contents_pillar: venafi:www.example.com:pkey
- replace: True
/etc/ssl/cert/www.example.com-chain.pem:
file.managed:
- contents_pillar: venafi:www.example.com:chain
- replace: True