Project

General

Profile

« Previous | Next » 

Revision 4b4164a6

Added by Ivan Necas over 10 years ago

Make sure the keys are protected

View differences:

manifests/certs.pp
$nss_db_password_file = '/etc/katello/nss_db_password-file'
$ssl_pk12_password_file = $certs::params::ssl_pk12_password_file
$qpid_cert_name = 'qpid-broker'
$cert_path = "/etc/pki/katello/${qpid_cert_name}.crt"
$key_path = "/etc/pki/katello/${qpid_cert_name}.key"
$client_cert = "/etc/pki/katello/${qpid_cert_name}.crt"
$client_key = "/etc/pki/katello/${qpid_cert_name}.key"
$pfx_path = "/etc/pki/katello/${qpid_cert_name}.pfx"
$nssdb_files = ["${::certs::nss_db_dir}/cert8.db", "${::certs::nss_db_dir}/key3.db", "${::certs::nss_db_dir}/secmod.db"]
pubkey { $cert_path:
pubkey { $client_cert:
cert => Cert["${qpid::certs::hostname}-qpid-broker"]
} ~>
privkey { $key_path:
privkey { $client_key:
cert => Cert["${qpid::certs::hostname}-qpid-broker"]
} ~>
file { $client_key:
owner => 'root',
group => $::certs::user_groups,
mode => '0400',
} ~>
exec { 'generate-nss-password':
command => "openssl rand -base64 24 > ${nss_db_password_file}",
path => '/usr/bin',
......
owner => 'root',
group => $::certs::user_groups,
mode => '0640',
require => Exec['generate-nss-password']
} ~>
exec { 'generate-pk12-password':
path => '/usr/bin',
......
mode => '0640',
} ~>
exec { 'add-broker-cert-to-nss-db':
command => "certutil -A -d '${::certs::nss_db_dir}' -n 'broker' -t ',,' -a -i '${cert_path}'",
command => "certutil -A -d '${::certs::nss_db_dir}' -n 'broker' -t ',,' -a -i '${client_cert}'",
path => '/usr/bin',
refreshonly => true,
} ~>
exec { 'generate-pfx-for-nss-db':
command => "openssl pkcs12 -in ${cert_path} -inkey ${key_path} -export -out '${pfx_path}' -password 'file:${ssl_pk12_password_file}'",
command => "openssl pkcs12 -in ${client_cert} -inkey ${client_key} -export -out '${pfx_path}' -password 'file:${ssl_pk12_password_file}'",
path => '/usr/bin',
refreshonly => true,
} ~>

Also available in: Unified diff