`vault_pki`¶

Manage the Vault PKI secret engine and Vault-issued X.509 certificates.

Added in version 1.1.0.

Important

This module requires the general Vault setup.

saltext.vault.states.vault_pki.certificate_managed(name, common_name, role_name, private_key, mount='pki', ttl='720h', ttl_remaining='168h', issuer_ref=None, encoding='pem', append_ca_chain=False, sign_verbatim=False, private_key_passphrase=None, reissue=False, **kwargs)[source]¶

Ensure an X.509 certificate is present as specified.

Note

The state can use sign-verbatim endpoint of Vault in which case CSR subject is fully translated. If not used, anything from CSR subject, except CN is ignored. Check this issue for more information.

Required policy:

# Need to read the role configuration in case of missing issuer_ref
path "{mount}/roles/*" {
    capabilities = ["read"]
}

path "{mount}/issuer/{issuer_ref}/sign/{role_name}" {
    capabilities = ["update"]
}
# in case of sign_verbatim
path "{mount}/issuer/{issuer_ref}/sign-verbatim/{role_name}" {
    capabilities = ["update"]
}

name: Path to the certificate file.
common_name: Common name to be set for the certificate.
role_name: PKI role to be used for issuing the certificate from Vault.
private_key: Path or PEM formatted text of the private key used to sign CSR for the certificate.
mount: The mount path the PKI backend is mounted to. Defaults to pki.
ttl: Specifies the Time To Live value to be used for the validity period of the requested certificate, provided as a string duration with time suffix. Hour is the largest suffix. Defaults to 720h or 30 days.
ttl_remaining: Specifies the Time To Live value to be used for checking remaining period before expiration after which certificate should be renewed. Provided as a string duration with time suffix. Hour is the largest suffix. Defaults to 168h or 7 days.
issuer_ref: Override role’s issuer for the certificate. Defaults to the one specified in the role.
encoding: Encoding to be used for the certificate file. Valid options are pem, pkcs7_pem, der, pkcs7_der. Defaults to pem.
append_ca_chain: If set to true will append CA chain to the certificate. Defaults to false.

Note

This will append all CA certificates except self-signed (as they shouldn’t be in the chain anyway)!
sign_verbatim: If set to true, the resulting certificate follows the CSR exactly. Otherwise, only CN can be set for the subject, any other subject parameters (like O) are ignored.

Warning

This option is using a potentially dangerous endpoint. Be careful when using that option, as roles are not restricting what can be issued anymore.
private_key_passphrase: Password for the private key if encrypted.
reissue: Always reissue the certificate. Defaults to false.
kwargs: Any other parameter accepted by file_managed execution module or Vault PKI sign_certificate execution module.

saltext.vault.states.vault_pki.role_managed(name, mount='pki', issuer_ref=None, ttl=None, max_ttl=None, **kwargs)[source]¶

Ensures PKI role is present and configured as required.

name: The name of the role.
mount: The mount path the PKI backend is mounted to. Defaults to pki.
issuer_ref: Issuer reference for the role. Can be name, id or literal default.
ttl: Specifies the Time To Live value to be used for the validity period of the requested certificate, provided as a string duration with time suffix. Hour is the largest suffix. The value specified is strictly used for future validity. If not set, uses the system default value or the value of max_ttl, whichever is shorter.
max_ttl: Specifies the maximum Time To Live provided as a string duration with time suffix. Hour is the largest suffix. If not set, defaults to the system maximum lease TTL.
kwargs: Any other parameter accepted by Vault write_role execution module or Vault update role API method.

saltext.vault.states.vault_pki.role_absent(name, mount='pki')[source]¶

Ensure PKI role is absent.

name: The name of the role.
mount: The mount path the PKI backend is mounted to. Defaults to pki.

vault_pki¶

`vault_pki`¶