Create an OpenSSH certificate and return an encoded version of it. .. note:: All parameters that take a public key or private key can be specified either as a string or a path to a local file encoded for OpenSSH. CLI Example: .. code-block:: bash
(
ca_server=None,
signing_policy=None,
path=None,
overwrite=False,
raw=False,
**kwargs,
)
| 49 | |
| 50 | |
| 51 | def create_certificate( |
| 52 | ca_server=None, |
| 53 | signing_policy=None, |
| 54 | path=None, |
| 55 | overwrite=False, |
| 56 | raw=False, |
| 57 | **kwargs, |
| 58 | ): |
| 59 | """ |
| 60 | Create an OpenSSH certificate and return an encoded version of it. |
| 61 | |
| 62 | .. note:: |
| 63 | |
| 64 | All parameters that take a public key or private key |
| 65 | can be specified either as a string or a path to a |
| 66 | local file encoded for OpenSSH. |
| 67 | |
| 68 | CLI Example: |
| 69 | |
| 70 | .. code-block:: bash |
| 71 | |
| 72 | salt-ssh '*' ssh_pki.create_certificate private_key=/root/.ssh/id_rsa signing_private_key='/etc/pki/ssh/myca.key' |
| 73 | |
| 74 | ca_server |
| 75 | Request a remotely signed certificate from another minion acting as |
| 76 | a CA server. For this to work, a ``signing_policy`` must be specified, |
| 77 | and that same policy must be configured on the ca_server. See `Signing policies`_ |
| 78 | for details. Also, the Salt master must permit peers to call the |
| 79 | ``sign_remote_certificate`` function, see `Peer communication`_. |
| 80 | |
| 81 | signing_policy |
| 82 | The name of a configured signing policy. Parameters specified in there |
| 83 | are hardcoded and cannot be overridden. This is required for remote signing, |
| 84 | otherwise optional. See `Signing policies`_ for details. |
| 85 | |
| 86 | copypath |
| 87 | Create a copy of the issued certificate in this directory. |
| 88 | The file will be named ``<serial_number>.crt``. |
| 89 | |
| 90 | path |
| 91 | Instead of returning the certificate, write it to this file path. |
| 92 | |
| 93 | overwrite |
| 94 | If ``path`` is specified and the file exists, do not overwrite it. |
| 95 | Defaults to false. |
| 96 | |
| 97 | raw |
| 98 | Return the encoded raw bytes instead of a string. Defaults to false. |
| 99 | |
| 100 | cert_type |
| 101 | The certificate type to generate. Either ``user`` or ``host``. |
| 102 | Required if not specified in the signing policy. |
| 103 | |
| 104 | private_key |
| 105 | The private key corresponding to the public key the certificate should |
| 106 | be issued for. Either this or ``public_key`` is required. |
| 107 | |
| 108 | private_key_passphrase |
nothing calls this directly
no test coverage detected