REFERENCE.md

Reference

Table of Contents

Classes

• ca_cert: This module manages the shared system-wide truststore.

Defined types

• ca_cert::ca: Manage a CA Certificate in the the shared system-wide truststore.

Classes

ca_cert

This module manages the shared system-wide truststore.

Examples

Basic usage

class { 'ca_cert': }

Purge unmanaged user CAs

class { 'ca_cert':
  purge_unmanaged_CAs => true,
}

Custom certificates handling

class { 'ca_cert':
  update_cmd        => '/usr/bin/c_rehash',
  trusted_cert_dir  => '/var/ssl/certs,
  cert_dir_group    => 'system',
  cert_dir_mode     => '0755',
  ca_file_group     => 'system',
  ca_file_mode      => '0644',
  ca_file_extension => 'pem',
}

Parameters

The following parameters are available in the ca_cert class:

• update_cmd
• trusted_cert_dir
• distrusted_cert_dir
• ca_certificates_conf
• install_package
• package_ensure
• package_name
• cert_dir_group
• cert_dir_mode
• ca_file_group
• ca_file_mode
• ca_file_extension
• always_update_certs
• purge_unmanaged_CAs
• ca_certs

update_cmd

Data type: String[1]

Command to be used to update CA certificates. Default provided by Hiera for supported Operating Systems.

trusted_cert_dir

Data type: Stdlib::Absolutepath

Absolute directory path to the folder containing trusted certificates. Default provided by Hiera for supported Operating Systems.

distrusted_cert_dir

Data type: Optional[Stdlib::Absolutepath]

Absolute directory path to the folder containing distrusted certificates. Default provided by Hiera for supported Operating Systems.

Default value: undef

ca_certificates_conf

Data type: Optional[Stdlib::Absolutepath]

Some distros use a configuration file to mark distrusted certificates. Default provided by Hiera for supported Operating Systems.

Default value: undef

install_package

Data type: Boolean

Whether or not this module should install the ca_certificates package. The package contains the system default (typically Mozilla) CA certificates, as well as the tools required for managing other installed CA certificates.

Default value: true

package_ensure

Data type: Stdlib::Ensure::Package

The ensure parameter to pass to the package resource.

Default value: 'installed'

package_name

Data type: String[1]

The name of the package(s) to be installed.

Default value: 'ca-certificates'

cert_dir_group

Data type: String[1]

The installed trusted certificate's POSIX group permissions. This uses the same syntax as Puppet's native file resource's "group" parameter.

Default value: 'root'

cert_dir_mode

Data type: Stdlib::Filemode

The installed trusted certificate's POSIX filesystem permissions. This uses the same syntax as Puppet's native file resource's "mode" parameter.

Default value: '0755'

ca_file_group

Data type: String[1]

The installed CA certificate's POSIX group permissions. This uses the same syntax as Puppet's native file resource's "group" parameter.

Default value: 'root'

ca_file_mode

Data type: Stdlib::Filemode

The installed CA certificate's POSIX filesystem permissions. This uses the same syntax as Puppet's native file resource's "mode" parameter.

Default value: '0644'

ca_file_extension

Data type: String[1]

File extenstion for the certificate.

Default value: 'crt'

always_update_certs

Data type: Boolean

Run the appropriate update CA certificates command for your operating system on every Puppet run whether it is needed or not.

Default value: false

purge_unmanaged_CAs

Data type: Boolean

When set to true (default: false), user installed CA certificates (in the appropriate directories) not managed by this module will be purged.

Default value: false

ca_certs

Data type: Hash

A hash of CA certificates that should be installed as part of the class declaration.

Default value: {}

Defined types

ca_cert::ca

Manage a CA Certificate in the the shared system-wide truststore.

Examples

ca_cert::ca { 'globalsign_org_intermediate':
  source => 'http://secure.globalsign.com/cacert/gsorganizationvalsha2g2r1.crt',
}

Parameters

The following parameters are available in the ca_cert::ca defined type:

• ensure
• allow_insecure_source
• source
• content
• checksum
• checksum_type
• proxy_server
• proxy_type

ensure

Data type: Enum['present', 'absent', 'trusted', 'distrusted']

Whether or not the CA certificate should be on a system or not.

• present/absent is used to manage local/none default CAs.
• trusted/distrusted is used to manage system CAs.

Default value: 'present'

allow_insecure_source

Data type: Boolean

Whether to allow insecure download or not.

Default value: false

source

Data type: Optional[String[1]]

A source certificate, which will be copied into place on the local system. This attribute is mutually exclusive with content Uri support, see puppet-archive.

Default value: undef

content

Data type: Optional[String[1]]

PEM formatted certificate content This attribute is mutually exclusive with source

Default value: undef

checksum

Data type: Optional[String[1]]

The checksum of the file.

Default value: undef

checksum_type

Data type: Optional[String[1]]

The type of file checksum.

Default value: undef

proxy_server

Data type: Optional[String[1]]

Proxy address to use when accessing source

Default value: undef

proxy_type

Data type: Optional[String[1]]

Proxy type ( See `archive::proxy_type )

Default value: undef