man.rst 3.23 KB
Newer Older
ssrq's avatar
ssrq committed
1 2 3 4 5
cdist-type__easy_rsa_pki(7)
===========================

NAME
----
6
cdist-type__easy_rsa_pki - Install an easy-rsa PKI
ssrq's avatar
ssrq committed
7 8 9 10


DESCRIPTION
-----------
ssrq's avatar
ssrq committed
11 12
This cdist type can be used to set up an Easy-RSA PKI structure in the
``__object_id`` directory on the target and manage its configuration.
ssrq's avatar
ssrq committed
13

ssrq's avatar
ssrq committed
14 15
**NB:** That the directory in ``__object_id`` is required to be empty.
The ``EASYRSA_PKI`` will be located at ``${__object_id}/pki``.
16

ssrq's avatar
ssrq committed
17
The optional parameters will have an effect on the ``vars`` file.
18

ssrq's avatar
ssrq committed
19 20 21 22 23
This cdist type does not build an Easy-RSA CA (for this,
see :strong:`cdist-type__easy_rsa_ca`\ (7)).

One Easy-RSA PKI can hold at most one CA, so it is necessary to
use this type once for each usage of ``__easy_rsa_ca``.
ssrq's avatar
ssrq committed
24 25 26

REQUIRED PARAMETERS
-------------------
27
None.
ssrq's avatar
ssrq committed
28 29 30 31


OPTIONAL PARAMETERS
-------------------
ssrq's avatar
ssrq committed
32 33
ca-expire-days
    The default CA validity time in days.
34

ssrq's avatar
ssrq committed
35 36
cert-expire-days
    The default expiration time in days for issued certs.
37

ssrq's avatar
ssrq committed
38 39 40 41 42 43
cert-renewal-allowed-days
    The default days before expiration an issued certificate is allowed to
    be renewed.

crl-publish-days
    The default days until the next publish date of the CRL.
44 45

default-ec-curve
ssrq's avatar
ssrq committed
46
    The default named EC curve to use (if ``--use-algo ec``).
47

ssrq's avatar
ssrq committed
48 49 50
default-keysize
    The size in bits for your keypairs.
    Only used if ``--use-algo rsa``.
51 52 53 54

digest
    Cryptographic digest to use.
    Do not change this default unless you understand the security implications.
ssrq's avatar
ssrq committed
55

56 57
    Valid choices include: md5, sha1, sha256, sha224, sha384, sha512

ssrq's avatar
ssrq committed
58 59 60
dn-mode
    The X509 DN (Distinguished Name) mode.
    Choices are:
61

ssrq's avatar
ssrq committed
62 63 64 65
    cn_only
        use just a CN value.
    org
        use the "traditional" Country/Province/City/Org/OU/email/CN format.
66

ssrq's avatar
ssrq committed
67 68 69 70 71 72 73 74 75 76
use-algo
    The crypto mode to use.
    Possible values:

    rsa
        RSA mode.
    ec
        Elliptic Curve Cryptography mode.

    Default is: ``rsa``.
77 78 79


The following optional parameters correspond to the default values in
ssrq's avatar
ssrq committed
80
organisational fields (only used if ``--dn-mode org``):
81

82
default-country
83 84
    Country.

85
default-province
86 87
    Province.

88
default-city
89 90
    City.

91
default-org
92 93
    Organisation.

94
default-email
95 96
    Email.

97
default-ou
ssrq's avatar
ssrq committed
98
    Organisational unit.
ssrq's avatar
ssrq committed
99 100 101 102 103 104 105 106 107 108 109 110


BOOLEAN PARAMETERS
------------------
None.


EXAMPLES
--------

.. code-block:: sh

ssrq's avatar
ssrq committed
111 112
    # Ensure existence of an Easy-RSA PKI structure in directory /etc/easy-rsa
    __easy_rsa_pki /etc/easy-rsa
ssrq's avatar
ssrq committed
113

ssrq's avatar
ssrq committed
114 115 116 117 118 119
    # Ensure existence of a PKI in directory /etc/easy-rsa with defaults
    __easy_rsa_pki /etc/easy-rsa \
        --use-algo rsa \
        --default-keysize 119 \
        --dn-mode org \
        --digest sha512 \
120 121 122 123 124 125
        --default-country CH \
        --default-province SG \
        --default-city Werdenberg \
        --default-org SSRQ \
        --default-email test@example.com \
        --default-ou "Unit 1"`
ssrq's avatar
ssrq committed
126 127 128 129


SEE ALSO
--------
ssrq's avatar
ssrq committed
130 131
:strong:`cdist-type__easy_rsa_ca`\ (7),
:strong:`cdist-type__easy_rsa_cert`\ (7)
ssrq's avatar
ssrq committed
132 133 134 135


AUTHORS
-------
ssrq's avatar
ssrq committed
136 137 138
| Marko Seric <marko.seric--@--ssrq-sds-fds.ch>
| Beni Ruef <bernhard.ruef--@--ssrq-sds-fds.ch>
| Dennis Camera <dennis.camera--@--ssrq-sds-fds.ch>
ssrq's avatar
ssrq committed
139 140 141 142


COPYING
-------
ssrq's avatar
ssrq committed
143
Copyright \(C) 2020 the AUTHORS. You can redistribute it
ssrq's avatar
ssrq committed
144 145 146
and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.