diff --git a/README.md b/README.md
index dcfc419..cdf6be8 100644
--- a/README.md
+++ b/README.md
@@ -74,6 +74,7 @@ nsstools::create { '/etc/dirsrv/slapd-ldap1':
mode => '0660',
password => 'example',
manage_certdir => false,
+ enable_fips => false,
}
nsstools::add_cert_and_key{ 'Server-Cert':
@@ -128,7 +129,8 @@ nsstools::create {
:
group => undef,
mode => '0600',
certdir_mode => '0700',
- manage_certdir => true
+ manage_certdir => true,
+ enable_fips => false,
}
```
@@ -175,6 +177,12 @@ nsstools::create { :
`String` Defaults to: `0700`
+ * `enable_fips`
+
+ `Boolean` Defaults to: `true`
+
+ If `true` enables FIPS compliance mode on the NSS DB.
+
### `add_cert`
Insert a certificate into an existing NSS database.
@@ -194,8 +202,7 @@ nsstools::add_cert { :
* `certdir`
- `String`/absolute path required
-
+ `String`/absolute path required
Absolute path to the directory to contain the database files.
* `cert`
@@ -258,6 +265,53 @@ nsstools::add_cert_and_key { :
The "nickname" of the certificate in the database.
+### `create_cert_and_key`
+
+Create a certificate and it's associated private key directly in an existing NSS database.
+
+```puppet
+nsstools::create_cert_and_key { :
+ nickname => , # defaults to $title
+ subject => , # required
+ certdir => , # required
+}
+```
+
+ * `title`
+
+ Used as the default value for the `nickname` parameter.
+
+ * `nickname`
+
+ `String` defaults to: `title`
+
+ The "nickname" of the certificate in the database.
+
+ * `subject`
+
+ `String` required
+
+ The subject of the certificate. The subject identification format follows RFC #1485.
+
+ * `keytype`
+
+ `String` defaults to: 'rsa'
+
+ The type of key to generate with the self signed cert.
+ Valid options: ras|dsa|ec|all
+
+ * `noisefile`
+
+ `String`/absolute path defaults to: '/var/log/messages'
+
+ The path to a file to use as noise to generate the cert. The minimum file size is 20 bytes.
+
+ * `certdir`
+
+ `String`/absolute path required
+
+ Absolute path to the directory that contains the already created NSS database.
+
## Functions
### `nsstools_add_cert`
diff --git a/manifests/create.pp b/manifests/create.pp
index a1ee8c4..5eced2e 100644
--- a/manifests/create.pp
+++ b/manifests/create.pp
@@ -8,6 +8,7 @@
# $mode - optional - defaults to '0600'
# $certdir_mode - optional - defaults to '0700'
# $manage_certdir - optional - defaults to true
+# $enable_fips - optional - defaults to false
#
# Actions:
# creates a new NSS database, consisting of 4 files:
@@ -25,7 +26,8 @@
# group => 'root',
# mode => '0600',
# certdir_mode => '0700',
-# manage_certdir => true
+# manage_certdir => true,
+# enable_fips => false,
# }
#
#
@@ -36,9 +38,11 @@
$group = undef,
$mode = '0600',
$certdir_mode = '0700',
- $manage_certdir = true
+ $manage_certdir = true,
+ $enable_fips = false,
) {
include nsstools
+ include nsstools::params
validate_string($password)
validate_absolute_path($certdir)
@@ -47,6 +51,7 @@
validate_string($mode)
validate_string($certdir_mode)
validate_bool($manage_certdir)
+ validate_bool($enable_fips)
if $manage_certdir {
file { $certdir:
@@ -62,7 +67,8 @@
$require_certdir = undef
}
- file { "${certdir}/nss-password.txt":
+ $_password_file = "${certdir}/${nsstools::params::password_file_name}"
+ file { $_password_file:
ensure => file,
owner => $owner,
group => $group,
@@ -81,17 +87,27 @@
group => $group,
mode => $mode,
require => [
- File["${certdir}/nss-password.txt"],
+ File[$_password_file],
Exec["create_nss_db_${title}"],
],
}
exec { "create_nss_db_${title}":
- command => "/usr/bin/certutil -N -d ${certdir} -f ${certdir}/nss-password.txt",
+ command => "/usr/bin/certutil -N -d ${certdir} -f ${_password_file}",
creates => ["${certdir}/cert8.db", "${certdir}/key3.db", "${certdir}/secmod.db"],
require => [
- File["${certdir}/nss-password.txt"],
+ File[$_password_file],
Class['nsstools'],
]
}
+
+ if $enable_fips {
+ # enable fips mode on the NSS DB after DB creation
+ exec { "enable_fips_mode_${title}":
+ command => "/usr/bin/modutil -fips true -dbdir ${certdir} -force",
+ unless => "/usr/bin/modutil -chkfips true -dbdir ${certdir}",
+ subscribe => [Exec["create_nss_db_${title}"],],
+ refreshonly => true,
+ }
+ }
}
diff --git a/manifests/create_cert_and_key.pp b/manifests/create_cert_and_key.pp
new file mode 100644
index 0000000..dc49e36
--- /dev/null
+++ b/manifests/create_cert_and_key.pp
@@ -0,0 +1,58 @@
+# Creates a self signed certificate with key directly in the NSS database.
+#
+# Parameters:
+# $nickname - optional - The nickname for the NSS certificate, defaults to the title
+# $subject - required - The subject of the certificate.
+# The subject identification format follows RFC #1485.
+# $keytype - optional - The type of key to generate with the self signed cert.
+# Valid options: ras|dsa|ec|all
+# $noisefile - optional - The path to a file to use as noise to generate the cert.
+# The minimum file size is 20 bytes.
+# $certdir - required - The path to the NSS DB to add the cert to
+#
+# Actions:
+# Creates a self signed certifacate directly in the NSS databae.
+#
+# Requires:
+# $subject
+# $certdir
+#
+# Sample Usage:
+#
+# nsstools::create_cert_and_key { 'server_cert':
+# nickname => 'Servert Cert',
+# subject => 'CN=localhost, OU=OrgUnit, O=Org, L=City, ST=State, C=MY\',
+# certdir => '/etc/pki/foo',
+# }
+#
+define nsstools::create_cert_and_key(
+ $nickname = $title,
+ $subject,
+ $keytype = 'rsa',
+ $noisefile = '/var/log/messages',
+ $certdir,
+) {
+ include nsstools
+ include nsstools::params
+
+ validate_string($nickname)
+ validate_string($subject)
+ validate_re($keytype, [ '^rsa', '^dsa', '^ec', '^all' ])
+ validate_absolute_path($certdir)
+ validate_absolute_path($noisefile)
+
+ $_password_file = "${certdir}/${nsstools::params::password_file_name}"
+
+ # create the cert and key in the NSS database
+ exec { "create_cert_and_key_${title}":
+ path => ['/usr/bin'],
+ command => "certutil -S -k ${keytype} -n '${nickname}' -t \"u,u,u\" -x -s \"${subject}\" -d ${certdir} -f ${_password_file} -z ${noisefile}",
+ unless => "certutil -d ${certdir} -L -n '${nickname}'",
+ logoutput => true,
+ require => [
+ Nsstools::Create[$certdir],
+ File[$_password_file],
+ Class['nsstools'],
+ ],
+ }
+}
diff --git a/manifests/params.pp b/manifests/params.pp
index 0c9dcf6..e60b388 100644
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -1,5 +1,7 @@
# this class should be considered private
class nsstools::params {
+ $password_file_name = 'nss-password.txt'
+
case $::osfamily {
'redhat': {
$package_name = ['nss-tools']