Create the ca cnf file: file.managed: - name: /etc/rmt/ssl/rmt-ca.cnf - source: salt://rmt/files/rmt-ca.cnf - user: root - group: root - mode: "0600" Create rmt CA key: x509.private_key_managed: - name: /etc/rmt/ssl/rmt-ca.key - passphrase: {{ pillar['rmt']['ca_passphrase'] }} - bits: 2048 - owner: root - group: root - mode: "0600" Create rmt CA certificate: cmd.run: - name: openssl req -config rmt-ca.cnf -key rmt-ca.key -new -x509 -days 3650 -sha256 -out rmt-ca.crt -passin pass:{{ pillar['rmt']['ca_passphrase'] }} - cwd: /etc/rmt/ssl - onchanges: - file: Create the ca cnf file Set permission on CA Certificate: file.managed: - name: /etc/rmt/ssl/rmt-ca.crt - replace: False - user: root - group: nginx - mode: "0640" Create rmt-server key: x509.private_key_managed: - name: /etc/rmt/ssl/rmt-server.key - bits: 2048 - owner: root - group: root - mode: "0600" Create the server cnf file: file.managed: - name: /etc/rmt/ssl/rmt-server.cnf - source: salt://rmt/files/rmt-server.cnf.jinja - template: jinja - user: root - group: root - mode: "0600" Create the rmt-server signing request: cmd.run: - name: openssl req -new -key rmt-server.key -config rmt-server.cnf -out rmt-server.csr - cwd: /etc/rmt/ssl - onchanges: - file: Create the server cnf file Set permission on rmt-server singing request: file.managed: - name: /etc/rmt/ssl/rmt-server.csr - replace: False - user: root - group: root - mode: "0600" Create the rmt-server certificate: cmd.run: - name: openssl x509 -req -in rmt-server.csr -CA rmt-ca.crt -CAkey rmt-ca.key -CAcreateserial -out rmt-server.crt -days 3650 -sha256 -passin pass:{{ pillar['rmt']['ca_passphrase'] }} - cwd: /etc/rmt/ssl - onchanges: - cmd: Create the rmt-server signing request Set permission on rmt-server certificate: file.managed: - name: /etc/rmt/ssl/rmt-server.crt - replace: False - user: root - group: root - mode: "0600" Set permission on rmt CA serial: file.managed: - name: /etc/rmt/ssl/rmt-ca.srl - replace: False - user: root - group: root - mode: "0600"