cookbook 'ssl-key-vault', '= 0.1.2'
ssl-key-vault (10) Versions 0.1.2 Follow0
SSL key & certificate storage in chef-vault
cookbook 'ssl-key-vault', '= 0.1.2', :supermarket
knife supermarket install ssl-key-vault
knife supermarket download ssl-key-vault
ssl-key-vault cookbook
This cookbook manages OpenSSL key pairs, using
chef-vault to share and
store private keys.
This cookbook's home is at https://github.com/3ofcoins/ssl-key-vault/
Requirements
Usage
- Generate a self-signed key or a secret key and certificate.
-
Store the private key in chef-vault. The name should be set to
ssl-key-key.name.:$ knife encrypt cert \
--search 'QUERY' --admins '' \
--name ssl-key-example.com \
--cert /path/to/example.com.key
$ knife upload data_bags/certs
Either add Chef server's admin API users to the --admins
, or make
the key otherwise accessible to yourself in future (e.g. with
knife-briefcase).
- Add the certificate to node's
ssl_certificates
attribute (key is key's name, and value is full certificate):
example_com_cert = <<EOF -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- EOF default_attributes :ssl_certificates => { 'example.com' => example_com_cert }
If you don't want to clutter your role definition, you can read the
certificate from file in the chef repo:
default_attributes :ssl_certificates => { 'example.com' => Pathname.new(__FILE__).dirname.join('../config/certificates/example.com.crt').read }
- Add
recipe[ssl-key-vault]
to node's run list.
The key will be stored in /etc/ssl/private/key.name.key
, and
certificate in /etc/ssl/certs/key.name.pem
.
Multiple certificate files
If you need to store certificate and chain separately, or store public
part in multiple files for any other reason, the ssl_certificates
entry can also be a dictionary, where key is extension of the file in
/etc/ssl/certs
, and value is the file's content.
certificates = Pathname.new(__FILE__).dirname.join('../config/certificates') default_attributes :ssl_certificates => { 'example.com' => { 'crt' => certificates.join('example.com.crt').read, 'chain.pem' => certificates.join('example.com.chain.pem).read, } }
In this example, files /etc/ssl/certs/example.com.crt
and
/etc/ssl/certs/example.com.chain.pem
will be created.
TODOs & questions
Maybe we should store certificate somewhere else than in attributes?
knife-vault supports only one value, and certificate is public, so it
shouldn't be encrypted. Creating a separate data bag seems to create
a lot of clutter, and is not easy to describe in Usage section, as
it needs to be encoded in JSON. Adding it to cookbook's files/ is
also kind of messy.
Maybe the answer would be to script adding a new key. A knife plugin
or at least a Thor task definition may be helpful here.
I don't have much of idea currently how to add tests, with chef-vault,
encrypted data bags, and such.
Author
Author:: Maciej Pasternacki maciej@3ofcoins.net
Dependent cookbooks
This cookbook has no specified dependencies.
Contingent cookbooks
There are no cookbooks that are contingent upon this one.