fraenki
commented
4 months ago Although this is a pretty old FR... Something simple like this should do the trick:
acme::certificate { $facts['networking']['fqdn']:
use_profile => 'nsupdate_example',
use_account => 'certmaster@example.com',
ca => 'letsencrypt',
}
$cert_file = "/etc/acme.sh/certs/${facts['networking']['fqdn']}/cert.pem"
$key_file = "/etc/acme.sh/keys/${facts['networking']['fqdn']}/private.key"
$pkcs12_file = "/etc/acme.sh/certs/${facts['networking']['fqdn']}/cert.pfx"
exec { "Convert certificate to pkcs12":
command => "openssl pkcs12 -export -out $cert_file -inkey $key_file -in $cert_file",
path => '/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin',
refreshonly => true,
subscribe => Acme::certificate[$dqs_path],
}puppet-openssl may also be used: https://github.com/voxpupuli/puppet-openssl?tab=readme-ov-file#opensslexportpkcs12
See also: https://github.com/markt-de/puppet-acme?tab=readme-ov-file#files-and-directories
Hello,
Would it be possible to add the functionality of '--toPkcs' to acme::certificate params? https://github.com/acmesh-official/acme.sh/wiki#3-how-to-get-pkcs12pfx-format
Use case: A puppet managed java-based application that utilizes SSL certs but in keystore format. So the acme.sh cert issued must be exported to pkcs12 manually or with openssl puppet module each cert lifecycle.
EDIT: I noticed this module supports posthooks. Is it possible to issue/renew a certificate to pkcs12 using a posthook_cmd?
Thanks, Brian