When managing configuration for various services, you’ll (hopefully) end up having to install TLS certificates at some point. Instead of having to come up with the same logic in various modules, roles or formulas I’ve had an Ansible role for a while that bundled all the logic into a single role that used the vault to obtain all certificates, keys and bundles that needed to be managed on a given node.

Since a while I’ve been rewriting part of my setup to use Saltstack and ended up with a similar approach for Salt. The formula can be found on GitHub: jasperla/salt-tls-formula.

I assign this formula to all minions, simply because it won’t do anything if a minion doesn’t have any TLS configuration in it’s pillar. So it’s safe to enable everywhere:

base:
  '*':
    - tls

In your pillar you define the certificates, keys and chains as:

#!yaml|gpg

tls:
  certs:
    /etc/ssl/path_to_cert.crt:
      content: |
        -----BEGIN CERTIFICATE-----
        MIIE+jCCA+KgAwIBAgIRALRW5MT6nSki0VQR6/Ff66owDQYJKoZIhvcNAQELBQAw
        [...]
        -----END CERTIFICATE-----        
  keys:
    /etc/ssl/private/path_to_key.key:
      content: |
        -----BEGIN PGP MESSAGE-----

        hQIMA+f23ydFPEDmAQ//RxJmNOb82mMEyTECRH/EGhMjrQDwt0trpIPXATzMUzCj
        [...]
        -----END PGP MESSAGE-----        

As you can see, I chose to use the GPG renderer which allows for storing secrets along with your regular pillar data.

This formula also takes care of setting default permissions on the files; keys default to 0600 so forgetting to specify the mode doesn’t result in a security incident due to too open permissions.

All in all it’s a simple formula, but one that’s proven to be quite nifty nonetheless.