Before using these modules you need to register an account with Venafi, and
configure it in your master
configuration file.
First, you need to add a placeholder to the master
file. This is because
the module will not load unless it finds an api_key
setting, valid or not.
Open up /etc/salt/master
and add:
venafi:
api_key: None
Then register your email address with Venafi using the following command:
salt-run venafi.register <youremail@yourdomain.com>
This command will not return an api_key
to you; that will be send to you
via email from Venafi. Once you have received that key, open up your master
file and set the api_key
to it:
venafi:
api_key: abcdef01-2345-6789-abcd-ef0123456789
To enable the ability for creating keys and certificates it is necessary to enable the
external pillars. Open the /etc/salt/master
file and add:
ext_pillar:
- venafi: True
To modify the URL being used for the Venafi Certificate issuance modify the file
in /etc/salt/master
and add the base_url information following under the venafi tag:
venafi:
base_url: http://newurl.venafi.com
Generate a CSR and submit it to Venafi for issuance, using the 'Internet' zone: salt-run venafi.request minion.example.com minion.example.com zone=Internet
Retrieve a certificate for a previously submitted request with request ID aaa-bbb-ccc-dddd: salt-run venafi.pickup aaa-bbb-ccc-dddd
Generate and return a private_key
. If a dns_name
is passed in, the
private_key
will be cached under that name.
The key will be generated based on the policy values that were configured by the Venafi administrator. A default Certificate Use Policy is associated with a zone; the key type and key length parameters associated with this value will be used.
salt-run venafi.gen_key minion.example.com minion.example.com zone=Internet \
password=SecretSauce
Required. The name of the minion which hosts the domain name in question.
Required. The FQDN of the domain that will be hosted on the minion.
Required. Default value is "default". The zone on Venafi that the domain belongs to.
Optional. If specified, the password to use to access the generated key.
Generate a csr using the host's private_key. Analogous to:
salt-run venafi.gen_csr minion.example.com minion.example.com country=US \
state=California loc=Sacramento org=CompanyName org_unit=DevOps \
zone=Internet password=SecretSauce
Required.
Required.
Optional. Default value is "default". The zone on Venafi that the domain belongs to.
Optional. The two-letter ISO abbreviation for your country.
Optional. The state/county/region where your organisation is legally located. Must not be abbreviated.
Optional. The city where your organisation is legally located.
Optional. The exact legal name of your organisation. Do not abbreviate your organisation name.
Optional. Section of the organisation, can be left empty if this does not apply to your case.
Optional. Password for the CSR.
Request a new certificate. Analogous to:
salt-run venafi.request minion.example.com minion.example.com country=US \
state=California loc=Sacramento org=CompanyName org_unit=DevOps \
zone=Internet password=SecretSauce
Required.
Required.
Required. Default value is "default". The zone on Venafi that the certificate request will be submitted to.
Optional. The two-letter ISO abbreviation for your country.
Optional. The state/county/region where your organisation is legally located. Must not be abbreviated.
Optional. The city where your organisation is legally located.
Optional. The exact legal name of your organisation. Do not abbreviate your organisation name.
Optional. Section of the organisation, can be left empty if this does not apply to your case.
Optional. Password for the CSR.
Optional, but may be configured in master
file
instead.
Register a new user account
salt-run venafi.register username@example.com
Required. The email address to use for the new Venafi account.
Show company information, especially the company id
salt-run venafi.show_company example.com
Required. The domain name to look up information for.
Show zones for the specified company id.
salt-run venafi.show_zones
Optional. The company id to show the zones for.
Show certificate requests for the specified certificate id. Analogous to the VCert pickup command.
salt-run venafi.pickup 4295ebc0-14bf-11e7-b965-1df050017ec1
Required. The id of the certificate to look up.
Show a private RSA key.
salt-run venafi.show_rsa minion.example.com minion.example.com
The name of the minion to display the key for.
The domain name to display the key for.
List domains that have been cached on this master.
salt-run venafi.list_domain_cache
Delete a domain from this master's cache.
salt-run venafi.delete_domain_cache example.com
A domain name, or a comma-separated list of domain names, to delete from this master's cache.