Before using these modules you need to register an account with Venafi, and
configure it in your master
configuration file.
First, you need to add a placeholder to the master
file. This is because
the module will not load unless it finds an api_key
setting, valid or not.
Open up /etc/salt/master
and add:
venafi:
api_key: None
Then register your email address with Venafi using the following command:
salt-run venafi.register <youremail@yourdomain.com>
This command will not return an api_key
to you; that will be send to you
via email from Venafi. Once you have received that key, open up your master
file and set the api_key
to it:
venafi:
api_key: abcdef01-2345-6789-abcd-ef0123456789
To enable the ability for creating keys and certificates it is necessary to enable the
external pillars. Open the /etc/salt/master
file and add:
ext_pillar:
- venafi: True
To modify the URL being used for the Venafi Certificate issuance modify the file
in /etc/salt/master
and add the base_url information following under the venafi tag:
venafi:
base_url: http://newurl.venafi.com
Generate a CSR and submit it to Venafi for issuance, using the 'Internet' zone: salt-run venafi.request minion.example.com minion.example.com zone=Internet
Retrieve a certificate for a previously submitted request with request ID aaa-bbb-ccc-dddd: salt-run venafi.pickup aaa-bbb-ccc-dddd
Generate and return a private_key
. If a dns_name
is passed in, the
private_key
will be cached under that name.
The key will be generated based on the policy values that were configured by the Venafi administrator. A default Certificate Use Policy is associated with a zone; the key type and key length parameters associated with this value will be used.
salt-run venafi.gen_key minion.example.com minion.example.com zone=Internet \
password=SecretSauce
param str minion_id: | |
---|---|
Required. The name of the minion which hosts the domain name in question. | |
param str dns_name: | |
Required. The FQDN of the domain that will be hosted on the minion. | |
param str zone: | Required. Default value is "default". The zone on Venafi that the domain belongs to. |
param str password: | |
Optional. If specified, the password to use to access the generated key. |
Generate a csr using the host's private_key. Analogous to:
salt-run venafi.gen_csr minion.example.com minion.example.com country=US \
state=California loc=Sacramento org=CompanyName org_unit=DevOps \
zone=Internet password=SecretSauce
param str minion_id: | |
---|---|
Required. | |
param str dns_name: | |
Required. | |
param str zone: | Optional. Default value is "default". The zone on Venafi that the domain belongs to. |
param str country=None: | |
Optional. The two-letter ISO abbreviation for your country. | |
param str state=None: | |
Optional. The state/county/region where your organisation is legally located. Must not be abbreviated. | |
param str loc=None: | |
Optional. The city where your organisation is legally located. | |
param str org=None: | |
Optional. The exact legal name of your organisation. Do not abbreviate your organisation name. | |
param str org_unit=None: | |
Optional. Section of the organisation, can be left empty if this does not apply to your case. | |
param str password=None: | |
Optional. Password for the CSR. |
Request a new certificate. Analogous to:
salt-run venafi.request minion.example.com minion.example.com country=US \
state=California loc=Sacramento org=CompanyName org_unit=DevOps \
zone=Internet password=SecretSauce
param str minion_id: | |
---|---|
Required. | |
param str dns_name: | |
Required. | |
param str zone: | Required. Default value is "default". The zone on Venafi that the certificate request will be submitted to. |
param str country=None: | |
Optional. The two-letter ISO abbreviation for your country. | |
param str state=None: | |
Optional. The state/county/region where your organisation is legally located. Must not be abbreviated. | |
param str loc=None: | |
Optional. The city where your organisation is legally located. | |
param str org=None: | |
Optional. The exact legal name of your organisation. Do not abbreviate your organisation name. | |
param str org_unit=None: | |
Optional. Section of the organisation, can be left empty if this does not apply to your case. | |
param str password=None: | |
Optional. Password for the CSR. | |
param str company_id=None: | |
Optional, but may be configured in master file
instead. |
Register a new user account
salt-run venafi.register username@example.com
param str email: | |
---|---|
Required. The email address to use for the new Venafi account. |
Show company information, especially the company id
salt-run venafi.show_company example.com
param str domain: | |
---|---|
Required. The domain name to look up information for. |
Show zones for the specified company id.
salt-run venafi.show_zones
param str company_id: | |
---|---|
Optional. The company id to show the zones for. |
Show certificate requests for the specified certificate id. Analogous to the VCert pickup command.
salt-run venafi.pickup 4295ebc0-14bf-11e7-b965-1df050017ec1
param str id_: | Required. The id of the certificate to look up. |
---|
Show a private RSA key.
salt-run venafi.show_rsa minion.example.com minion.example.com
param str minion_id: | |
---|---|
The name of the minion to display the key for. | |
param str dns_name: | |
The domain name to display the key for. |
List domains that have been cached on this master.
salt-run venafi.list_domain_cache
Delete a domain from this master's cache.
salt-run venafi.delete_domain_cache example.com
param str domains: | |
---|---|
A domain name, or a comma-separated list of domain names, to delete from this master's cache. |