.

salt/states/rmt/files/rmt-ca.cnf

@@ -0,0 +1,41 @@
+[ca]
+default_ca                     = CA_default
+
+[CA_default]
+default_bits                   = 2048
+x509_extensions                = v3_ca
+default_days                   = 3650
+default_md                     = default
+policy                         = policy_optional
+copy_extensions                = copy
+unique_subject                 = no
+
+[policy_optional]
+countryName                    = optional
+stateOrProvinceName            = optional
+localityName                   = optional
+organizationName               = optional
+organizationalUnitName         = optional
+commonName                     = optional
+emailAddress                   = optional
+
+###############################################
+
+[req]
+default_bits                   = 2048
+distinguished_name             = req_distinguished_name
+x509_extensions                = v3_ca
+string_mask                    = utf8only
+prompt                         = no
+
+[v3_ca]
+basicConstraints               = critical, CA:true
+nsComment                      = "RMT Generated CA Certificate"
+nsCertType                     = sslCA
+keyUsage                       = cRLSign, keyCertSign
+subjectKeyIdentifier           = hash
+authorityKeyIdentifier         = keyid:always,issuer
+
+###############################################
+[ req_distinguished_name ]
+CN                             = RMT Certificate Authority

salt/states/rmt/files/rmt-server.cnf.jinja

@@ -0,0 +1,33 @@
+[req]
+default_bits                   = 2048
+distinguished_name             = req_distinguished_name
+x509_extensions                = v3_server_sign
+string_mask                    = utf8only
+prompt                         = no
+req_extensions                 = v3_req
+
+[v3_server_sign]
+basicConstraints               = CA:false
+nsComment                      = "RMT Generated Server Certificate"
+nsCertType                     = server
+keyUsage                       = digitalSignature, keyEncipherment, keyAgreement
+extendedKeyUsage               = serverAuth, clientAuth
+subjectKeyIdentifier           = hash
+authorityKeyIdentifier         = keyid,issuer:always
+subjectAltName                 = @alt_names
+
+[v3_req]
+basicConstraints               = CA:false
+keyUsage                       = digitalSignature, keyEncipherment, keyAgreement
+subjectAltName                 = @alt_names
+
+[req_distinguished_name]
+CN                             = localhost
+
+[alt_names]
+DNS.0                          = localhost
+DNS.1                          = rmt.{{ pillar['network']['domain'] }}
+IP.0                           = {{ pillar['network']['ip'] }}
+{% for vlan in pillar['network']['vlan'] -%}
+IP.{{ loop.index }}                           = {{ vlan['address'] }}
+{% endfor -%}