index.rst 6.4 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260
  1. =====================
  2. Venafi Tools for Salt
  3. =====================
  4. Introduction
  5. ~~~~~~~~~~~~
  6. Before using these modules you need to register an account with Venafi, and
  7. configure it in your ``master`` configuration file.
  8. First, you need to add a placeholder to the ``master`` file. This is because
  9. the module will not load unless it finds an ``api_key`` setting, valid or not.
  10. Open up ``/etc/salt/master`` and add:
  11. .. code-block:: yaml
  12. venafi:
  13. api_key: None
  14. Then register your email address with Venafi using the following command:
  15. .. code-block:: bash
  16. salt-run venafi.register <youremail@yourdomain.com>
  17. This command will not return an ``api_key`` to you; that will be send to you
  18. via email from Venafi. Once you have received that key, open up your ``master``
  19. file and set the ``api_key`` to it:
  20. .. code-block:: yaml
  21. venafi:
  22. api_key: abcdef01-2345-6789-abcd-ef0123456789
  23. To enable the ability for creating keys and certificates it is necessary to enable the
  24. external pillars. Open the ``/etc/salt/master`` file and add:
  25. .. code-block:: yaml
  26. ext_pillar:
  27. - venafi: True
  28. To modify the URL being used for the Venafi Certificate issuance modify the file
  29. in ``/etc/salt/master`` and add the base_url information following under the venafi tag:
  30. .. code-block:: yaml
  31. venafi:
  32. base_url: http://newurl.venafi.com
  33. Example Usage
  34. ~~~~~~~~~~~~~
  35. Generate a CSR and submit it to Venafi for issuance, using the 'Internet' zone:
  36. salt-run venafi.request minion.example.com minion.example.com zone=Internet
  37. Retrieve a certificate for a previously submitted request with request ID
  38. aaa-bbb-ccc-dddd:
  39. salt-run venafi.pickup aaa-bbb-ccc-dddd
  40. Runner Functions
  41. ~~~~~~~~~~~~~~~~
  42. gen_key
  43. -------
  44. Generate and return a ``private_key``. If a ``dns_name`` is passed in, the
  45. ``private_key`` will be cached under that name.
  46. The key will be generated based on the policy values that were configured
  47. by the Venafi administrator. A default Certificate Use Policy is associated
  48. with a zone; the key type and key length parameters associated with this value
  49. will be used.
  50. .. code-block:: bash
  51. salt-run venafi.gen_key minion.example.com minion.example.com zone=Internet \
  52. password=SecretSauce
  53. :param str minion_id: Required. The name of the minion which hosts the domain
  54. name in question.
  55. :param str dns_name: Required. The FQDN of the domain that will be hosted on
  56. the minion.
  57. :param str zone: Required. Default value is "default". The zone on Venafi that
  58. the domain belongs to.
  59. :param str password: Optional. If specified, the password to use to access the
  60. generated key.
  61. gen_csr
  62. -------
  63. Generate a csr using the host's private_key. Analogous to:
  64. .. code-block:: bash
  65. salt-run venafi.gen_csr minion.example.com minion.example.com country=US \
  66. state=California loc=Sacramento org=CompanyName org_unit=DevOps \
  67. zone=Internet password=SecretSauce
  68. :param str minion_id: Required.
  69. :param str dns_name: Required.
  70. :param str zone: Optional. Default value is "default". The zone on Venafi that
  71. the domain belongs to.
  72. :param str country=None: Optional. The two-letter ISO abbreviation for your
  73. country.
  74. :param str state=None: Optional. The state/county/region where your
  75. organisation is legally located. Must not be abbreviated.
  76. :param str loc=None: Optional. The city where your organisation is legally
  77. located.
  78. :param str org=None: Optional. The exact legal name of your organisation. Do
  79. not abbreviate your organisation name.
  80. :param str org_unit=None: Optional. Section of the organisation, can be left
  81. empty if this does not apply to your case.
  82. :param str password=None: Optional. Password for the CSR.
  83. request
  84. -------
  85. Request a new certificate. Analogous to:
  86. .. code-block:: bash
  87. salt-run venafi.request minion.example.com minion.example.com country=US \
  88. state=California loc=Sacramento org=CompanyName org_unit=DevOps \
  89. zone=Internet password=SecretSauce
  90. :param str minion_id: Required.
  91. :param str dns_name: Required.
  92. :param str zone: Required. Default value is "default". The zone on Venafi that
  93. the certificate request will be submitted to.
  94. :param str country=None: Optional. The two-letter ISO abbreviation for your
  95. country.
  96. :param str state=None: Optional. The state/county/region where your
  97. organisation is legally located. Must not be abbreviated.
  98. :param str loc=None: Optional. The city where your organisation is legally
  99. located.
  100. :param str org=None: Optional. The exact legal name of your organisation. Do
  101. not abbreviate your organisation name.
  102. :param str org_unit=None: Optional. Section of the organisation, can be left
  103. empty if this does not apply to your case.
  104. :param str password=None: Optional. Password for the CSR.
  105. :param str company_id=None: Optional, but may be configured in ``master`` file
  106. instead.
  107. register
  108. --------
  109. Register a new user account
  110. .. code-block:: bash
  111. salt-run venafi.register username@example.com
  112. :param str email: Required. The email address to use for the new Venafi account.
  113. show_company
  114. ------------
  115. Show company information, especially the company id
  116. .. code-block:: bash
  117. salt-run venafi.show_company example.com
  118. :param str domain: Required. The domain name to look up information for.
  119. show_csrs
  120. ---------
  121. Show certificate requests for the configured API key.
  122. .. code-block:: bash
  123. salt-run venafi.show_csrs
  124. show_zones
  125. ----------
  126. Show zones for the specified company id.
  127. .. code-block:: bash
  128. salt-run venafi.show_zones
  129. :param str company_id: Optional. The company id to show the zones for.
  130. pickup, show_cert
  131. -----------------
  132. Show certificate requests for the specified certificate id. Analogous to the
  133. VCert pickup command.
  134. .. code-block:: bash
  135. salt-run venafi.pickup 4295ebc0-14bf-11e7-b965-1df050017ec1
  136. :param str id\_: Required. The id of the certificate to look up.
  137. show_rsa
  138. --------
  139. Show a private RSA key.
  140. .. code-block:: bash
  141. salt-run venafi.show_rsa minion.example.com minion.example.com
  142. :param str minion_id: The name of the minion to display the key for.
  143. :param str dns_name: The domain name to display the key for.
  144. list_domain_cache
  145. -----------------
  146. List domains that have been cached on this master.
  147. .. code-block:: bash
  148. salt-run venafi.list_domain_cache
  149. del_cached_domain
  150. -----------------
  151. Delete a domain from this master's cache.
  152. .. code-block:: bash
  153. salt-run venafi.delete_domain_cache example.com
  154. :param str domains: A domain name, or a comma-separated list of domain names,
  155. to delete from this master's cache.