Initial Release

CHANGELOG

@@ -0,0 +1,2 @@
+2013-08-22 1.0.0
+- Initial Release. Create the database, add certificates.

LICENSE

@@ -0,0 +1,13 @@
+Copyright 2013 Red Hat, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

README.md

@@ -0,0 +1,4 @@
+# nssdb puppet module
+
+very simple puppet module to create an NSS database and add a certificate
+and key via PEM files.

manifests/add_cert_and_key.pp

@@ -0,0 +1,57 @@
+# Loads a certificate and key into an NSS database. 
+#
+# Parameters:
+#   $dbname           - required - the directory to store the db
+#   $nickname         - required - the nickname for the NSS certificate
+#   $cert             - required - path to certificate in PEM format
+#   $key              - required - path to unencrypted key in PEM format
+#   $basedir          - optional - defaults to /etc/pki
+#
+# Actions:
+#   loads certificate and key into the NSS database.
+#
+# Requires:
+#   $dbname
+#   $nickname
+#   $cert
+#   $key
+#
+# Sample Usage:
+# 
+#      nssdb::add_cert_and_key{"qpidd":
+#        nickname=> 'Server-Cert',
+#        cert => '/tmp/server.crt',
+#        key  => '/tmp/server.key',
+#      }
+#
+define nssdb::add_cert_and_key (
+  $dbname = $title,
+  $nickname,
+  $cert,
+  $key,
+  $basedir = '/etc/pki'
+) {
+  package { 'openssl': ensure => present }
+
+  exec {'generate_pkcs12':
+    command => "/usr/bin/openssl pkcs12 -export -in $cert -inkey $key -password 'file:${basedir}/${dbname}/password.conf' -out '${basedir}/${dbname}/$dbname.p12' -name $nickname",
+    require => [
+        File["${basedir}/${dbname}/password.conf"],
+        File["${basedir}/${dbname}/cert8.db"],
+        Package['openssl'],
+    ],
+    before => Exec['load_pkcs12'],
+    notify => Exec['load_pkcs12'],
+    subscribe => File["${basedir}/${dbname}/password.conf"],
+    refreshonly => true,
+  }
+
+  exec {'load_pkcs12':
+    command => "/usr/bin/pk12util -i '${basedir}/${dbname}/$dbname.p12' -d '${basedir}/${dbname}' -w '${basedir}/${dbname}/password.conf' -k '${basedir}/${dbname}/password.conf'",
+    require => [
+        Exec["generate_pkcs12"],
+        Package['nss-tools'],
+    ],
+    refreshonly => true,
+  }
+}

manifests/create.pp

@@ -0,0 +1,92 @@
+# Create an empty NSS database with a password file.
+#
+# Parameters:
+#   $dbname           - required - the directory to store the db
+#   $owner_id         - required - the file/directory user
+#   $group_id         - required - the file/directory group
+#   $password         - required - password to set on the database
+#   $basedir          - optional - defaults to /etc/pki
+#   $cacert           - optional - path to CA certificate in PEM format
+#   $canickname       - default CA nickname
+#   $catrust          - default CT,CT,
+#
+# Actions:
+#   creates a new NSS database, consisting of 4 files:
+#      cert8.db, key3.db, secmod.db and a password file, password.conf
+#
+# Requires:
+#   $dbname must be set
+#   $owner_id must be set
+#   $group_id must be set
+#   $password must be set
+#
+# Sample Usage:
+# 
+# secure::nssdb {'test':
+#    owner_id => 'qpidd',
+#    group_id => 'qpidd',
+#    password => 'test'}
+#
+# This will create an NSS database in /etc/pki/test
+#
+define nssdb::create (
+  $dbname = $title,
+  $owner_id,
+  $group_id,
+  $password,
+  $basedir = '/etc/pki',
+  $cacert = '/etc/pki/certs/CA/ca.crt',
+  $canickname = 'CA',
+  $catrust = 'CT,CT,'
+) {
+  package { 'nss-tools': ensure => present }
+
+  file {"${basedir}/${dbname}":
+    ensure  => directory,
+    mode    => 0600,
+    owner   => $owner_id,
+    group   => $group_id,
+  }
+  file {"${basedir}/${dbname}/password.conf":
+    ensure  => file,
+    mode    => 0600,
+    owner   => $owner_id,
+    group   => $group_id,
+    content => $password,
+    require => [
+        File["${basedir}/${dbname}"],
+    ],
+  }
+  file { ["${basedir}/${dbname}/cert8.db", "${basedir}/${dbname}/key3.db", "${basedir}/${dbname}/secmod.db"] :
+    ensure  => file,
+    mode    => 0600,
+    owner   => $owner_id,
+    group   => $group_id,
+    require => [
+        File["${basedir}/${dbname}/password.conf"],
+        Exec['create_nss_db'],
+    ],
+  }
+
+  exec {'create_nss_db':
+    command => "/usr/bin/certutil -N -d ${basedir}/${dbname} -f ${basedir}/${dbname}/password.conf",
+    creates => ["${basedir}/${dbname}/cert8.db", "${basedir}/${dbname}/key3.db", "${basedir}/${dbname}/secmod.db"],
+    require => [
+        File["${basedir}/${dbname}"],
+        File["${basedir}/${dbname}/password.conf"],
+        Package['nss-tools'],
+    ],
+      notify => [
+        Exec["add_ca_cert"],
+      ],
+  }
+
+  exec {'add_ca_cert':
+    command => "/usr/bin/certutil -A -n ${canickname} -d ${basedir}/${dbname} -t ${catrust} -a -i ${cacert}",
+    require => [
+        Package['nss-tools'],
+    ],
+    refreshonly => true,
+    onlyif => "/usr/bin/test -e $cacert",
+  }
+}

tests/create.pp

@@ -0,0 +1,27 @@
+# NOTE: This requires that the directory /tmp/nssdb already exists
+
+# Create a test database owned by the user rcrit
+nssdb::create {'test':
+  owner_id => 'rcrit',
+  group_id => 'rcrit',
+  password => 'test',
+  cacert   => '/etc/ipa/ca.crt',
+  catrust  => 'CT,,',
+  basedir  => '/tmp/nssdb',
+}
+
+# Add a certificate and private key from PEM fiels
+nssdb::add_cert_and_key {'test':
+  cert     => '/tmp/cert.pem',
+  key      => '/tmp/key.pem',
+  nickname => 'test',
+  basedir  => '/tmp/nssdb',
+}
+
+# You can confirm that things are loaded properly with:
+#
+# List the certs:
+# certutil -L -d /tmp/nssdb/test
+#
+# Verify the cert:
+# certutil -V -u V -d /tmp/nssdb/test -n test