Have the system trust additional Certificate Authorities (CA) specified in pillar.
- Debian family (tested on Debian 6,7,8 and Ubuntu 14.04)
- RedHat family (tested on CentOS 7 only)
In your pillar, place the CAs PEM file content in a dict
under trustedCAs and activate the pki:trustedCAs flag:
pki:
trustedCAs: true
trustedCAs:
the_ca_name: |
-----BEGIN CERTIFICATE-----
MIIEIDCCAwigAwIBAgIQNE7VVyDV7exJ9C/ON9srbTANBgkqhkiG9w0BAQUFADCB
(... truncated ...)
jVaMaA==
-----END CERTIFICATE---
Note
removing a CA from the pillar does not make the system stop trusting it.
If you need to control your states according to the changes in CAs,
you can add dependencies on cmd: update-ca-certificates.
For example, if you have a service that pulls something over a TLS
connection that depends on the proper CA, you can do something like this:
myservice:
service.running:
restart: true
watch:
- cmd: update-ca-certificates
The formula adds the CA to the system's list of trusted authorities. Both on Debian and RedHat, this works by populating the directory expected by the distribution and running the update script provided by the distribution on changes.
- Debian:
- directory
/usr/local/share/ca-certificates, scriptupdate-ca-certificates. - RedHat:
- directory
/etc/pki/trust/source/anchors, scriptupdate-ca-trust.