Use puppet-openssl to handle the backend

.fixtures.yml

@@ -1,6 +1,9 @@
 fixtures:
   repositories:
-    extlib:            "https://github.com/voxpupuli/puppet-extlib"
-    foreman:           "https://github.com/theforeman/puppet-foreman"
-    redis:             "https://github.com/voxpupuli/puppet-redis"
-    stdlib:            "https://github.com/puppetlabs/puppetlabs-stdlib"
+    extlib: "https://github.com/voxpupuli/puppet-extlib"
+    foreman: "https://github.com/theforeman/puppet-foreman"
+    openssl:
+      repo: "https://github.com/ehelms/puppet-openssl"
+      branch: "ca-password"
+    redis: "https://github.com/voxpupuli/puppet-redis"
+    stdlib: "https://github.com/puppetlabs/puppetlabs-stdlib"

fixtures/katello-certs-tool-ca/katello-default-ca.crt

@@ -0,0 +1,40 @@
+-----BEGIN CERTIFICATE-----
+MIIG/zCCBOegAwIBAgIUEJSPbzfROxOw3z7dxrx7JZ8DmvEwDQYJKoZIhvcNAQEL
+BQAwgYExCzAJBgNVBAYTAlVTMRcwFQYDVQQIDA5Ob3J0aCBDYXJvbGluYTEQMA4G
+A1UEBwwHUmFsZWlnaDEQMA4GA1UECgwHS2F0ZWxsbzEUMBIGA1UECwwLU29tZU9y
+Z1VuaXQxHzAdBgNVBAMMFmNlbnRvczgtNjQuZXhhbXBsZS5jb20wHhcNMjQwNTIw
+MjIzNTI5WhcNMzgwMTE3MjIzNTI5WjCBgTELMAkGA1UEBhMCVVMxFzAVBgNVBAgM
+Dk5vcnRoIENhcm9saW5hMRAwDgYDVQQHDAdSYWxlaWdoMRAwDgYDVQQKDAdLYXRl
+bGxvMRQwEgYDVQQLDAtTb21lT3JnVW5pdDEfMB0GA1UEAwwWY2VudG9zOC02NC5l
+eGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALaSYmvi
+t4ocOb2h71lqfCx/e/11I+uA9JIYvdYv3JIDgyXqqM6hLJJZU0rHEcVcE+dUDw2L
+UB2Sg+S1vXM4LhpBTKUvXpc6tlDFPNUszifIlk6+mOVu7T1ls070PWQbQ9oRyebV
+nlnXjb7ffObcVWGHZTci8kyAXwOjiDKQF2KqBBc3PpppuFNFw8wEASfCgCVerTBa
+ViFn6E6psikhe1j92cwPfJun/bVreNdoPNwsLJ6D6jm5sIpms6LdwEScRuweB3OG
+5vmsb/7m35yvv35jypI1o4PtwJxHxcDHphnC3d8iNrBZ8kS8XpCIIWtQI5M3Ofb8
+wvwKzyLt/r8mvI6GKm6/IwoK2k1nNGw22XUKdwWdAGgId4tdhXAfVuIUsvTmv9ce
+m4nhmf32r2GGnIVAOQy7ZuBTh/7zXsFgVd6xl/nA8vOUYNEzlY+uC/jv/jeFQSyG
+LcURzrsFEMya1Tl1S5UhIYI2LqCqywkF4EbY8VBijroX/EOK51Rf8i0A4GUS6E2i
+EvMnhNXXnmpFKx60stABYBRIuXzF0kOufuO2DPPpvyQ5dR24e6gGnND9o83lUh58
+mjuUwhCqnwEwg6N54HVas7nPG5lcLWPgcAxWnIHdmIeSgsrEVoRBUQUvqvX2iilw
+dSoKq9UiKsht1pQV2AspJ0VSxS0WbYcCwLihAgMBAAGjggFrMIIBZzAMBgNVHRME
+BTADAQH/MAsGA1UdDwQEAwIBpjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
+AwIwEQYJYIZIAYb4QgEBBAQDAgJEMDUGCWCGSAGG+EIBDQQoFiZLYXRlbGxvIFNT
+TCBUb29sIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUNlbGdCK5ZAa9
+N7gZPsS0FSO5t9kwgcEGA1UdIwSBuTCBtoAUNlbGdCK5ZAa9N7gZPsS0FSO5t9mh
+gYekgYQwgYExCzAJBgNVBAYTAlVTMRcwFQYDVQQIDA5Ob3J0aCBDYXJvbGluYTEQ
+MA4GA1UEBwwHUmFsZWlnaDEQMA4GA1UECgwHS2F0ZWxsbzEUMBIGA1UECwwLU29t
+ZU9yZ1VuaXQxHzAdBgNVBAMMFmNlbnRvczgtNjQuZXhhbXBsZS5jb22CFBCUj283
+0TsTsN8+3ca8eyWfA5rxMA0GCSqGSIb3DQEBCwUAA4ICAQBvhQKiEmKr9oGpgTQ3
+MHg+5iJsFyLL5IPN7JHp8tuFzX5+pHaLl4sgmNIOVxL1Ft4I0JkgPimFViqsJPAz
+trUl5mZBW1MchA7H7+Qi/ZCctpk0fi04WeM+O0tpm9OPzlGGL5mQekCDQ1S7p+3M
+xnk+rnIT6nmgqV5rg9cM+228Rd4cngU3HNsM8xx91UXKjz5eL9DIotl3iVU9wsQ1
+X1Pi6+qHMPp7JrXBYmqbxTCDupBWpgWYyb4uw63TO/MVQBjck9RLgx3++hR7WUnC
+VG0ONFPN41InSu+0EdA0fbM7zC3MjlwsX3WSPI39THRVQfyRrrglPMlt7bW8d5eb
+gILD/e0kn1J0OmFchj5v3eUWdbCMnKCelJkhlwDGpirRu+kXRKy0zFGDkR+z8kvz
+YBIdDEFyJ4qINAWNP4HHQkHUd/aDpHSbfAojVwEj1lsdHO4LJqpBp/LulBPm86D7
+hBj86kv7YqXn/vOlZ4iGAoeA94PXORABZdPIlfkLGTRbHRPp2BcT06piwB8hwaAL
+XrjWptfB3C1CFn81K86m6aBAkz83EYC+YkED23HVpUwpDEaViuDtUt74SfxuvW8H
+/W+sZzlezCgwdIpkuC9M64HyHPuIuIbu0zZVSeMHvHwEbRMJeq3rwOZsuPLDkT3K
+gxbEhBEPxtdiAzmH3W9+isXTng==
+-----END CERTIFICATE-----

fixtures/katello-certs-tool-ca/katello-default-ca.key

@@ -0,0 +1,54 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIJrTBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQIOklCZ8PO84QCAggA
+MAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAEqBBBr1RbWYKKKaEbyQpATz7vABIIJ
+UEEj0gg4PP+JNEwcroBIvyNWaa+dTaOWQGp6yt6ewHpXB9a1gclci4XbyX7Jtw8S
+WTOSR1vGrOARFTgLoXMLwy/XEKvm0ljKdWt8P1OMcYvbQnMvxs3Wq2xB7XIpF0iL
+2/M2MD8c7OFEutJ583uXfyT2PjJjbHR+GQf0feeef5Q8s4s92+QNEGclFDqwWYOK
+3zpINt6JD2XuyoLuJQW0NfsMZxy8FbefOrV4ThEunxQ8dfmBMrGEn5i2yylzqNLN
+oR6Zlk/0LYBGgSNAMfCBSyTscHed0kwr4ggI7EUcjEd7q1eSDLFIh9jEpGook18e
+eczkIu3BR5EcQafnnCn9+qNwDwFcbTxtSly7ol6zMaRas/ABja+ULHVoD31elI77
+6hGCQNTDwywn4sq5JAMC23A4uqVvHZBh5+kF/cr+YeItOZgVqj3gL1PxK0yZRoL9
+aHmqvYykvBnyrrIhaP08uCRGp7n6mzpx+oxyfXvzByOVwFw7TFe3sgiBPDzxwzGt
+3qumvdQWhDoOa6bdoiaVou/dWrWOIWj+qpCPF3GZRzCDDBMMVSmtzncDJw20cBXG
+7PwcMEqhFLkrxGCh0i6yHGxH8djxIxdkzsjd1GStLEdooRk4tuyfblu3teizM7sb
+OtjR6anCpEZpil83q/o3CUs/9jNsJ9DxoYERUSONzUStpCWHHZwpPjx88BTCLch+
+USO8XbhbVMccSp2ZdRrjxjhpR1Wc3sjwprVmcGBlvaOhOA3tg+AIi8dQwWEUxN34
+1EQqKbdtcKNvaj2SrM7+ljG9CxO4N13UfE0SNAihDsFFT7Br8C+0cf4Io4egvY2N
+eEjlZUSaY2xkCzKpkHb/fH3CGQvh9sGx5/FCHqM0dqveqKKhKwUcNNTSa869My8h
+7VmhtGIhkpZBaX8U1LM2fa1n6MH/6rYQbWqtikYvbsSGTOjsVAUjd0/2nrKi3o6G
+H1wofcZVW9QaOlyjM1cdSBBGlPxmDL90NUcRmj5agNuWRLHLEC8vB++MlfBp4Y2K
+Jax+wtYlrSFeBkYbPwvjUHFkRNxT0PBtegRd9WCFosNbgyRAHQRwwZw1cvIPy/92
+fMsTwImQ52vpjyWlN9qZmUsintZ8ChHaPLAeZ04KRU2Y05UwzmQrxHySCaCcuTjp
+Ge5cVrkqkfL2KnCGbkigyoK88v+2LdCWs1HI64mVNGFgLNdPXIDe01YpdkqtYuB+
+2e7PrbacFYjKSbQllZ95TvMSZ6KVr3BX9AVot68epR+JpNg+6DS9liz+Mgj+113A
+SQqDw7wPeAjNudrRBnaaaQx4wuYrqNEBJR6PjgzbMBymtaSCFzBGYfSqJb4BXaBS
+XTBYsxtXyyQSZjLRKg19ljIIowC/E4NKG4ftwmbWSauyIQnW0cjDFiuQNUqSQLI+
+FmCsXU4+VLfSQc7TOfdRi8fLNy9wcChWreSXj8eM5pWJnYpBc/hFEpQndTFwmzqw
+wZEOBpBN0TzlQLy5zhK3ukEk5+aSn0GZyMiSr104bGwIzI9tg9eX3qWvyZe2DLyb
+IOBnYW2cr5O+RUDLV7fWE9s9/RLNNLYJPFl6fdTjzqPjP8wyFe1StUYa+xXjzsm0
+ZPc4GedK5gfy79sSSsNblXx7EWRPjA6cTmAA6xmI0pF4HbuQBIUyPBkqbmlaCGxA
+ex8N+dlWFjaRW7CWwoXYlYqE+iuhGcmplnfxk0AxlawfNdFjc6LMRvA7fchMqaXV
+n+95YVrrU1e6f/oTFKwBRlVpb4ii0f8Udj+6aEg5xMPiib2omGX5yvNBR3w4xT5c
+a6i3usk3E4akD9SaXLLCP80qEuELMhINiEyH97bnj+KfKFT4EOLCg+943ESsI0yD
+b2bGnM6w744uQtRDjvXIQMorz4t+ouHCWGmmKUJzh2Bt8ekFis+H3X8y4WKvB5mU
+SyFycGLlKM/ZgAXeFT9k2Kov8sBYIEycx4+bhL7L5CqF53xf4Q1WoHcM8ONhqGr9
+/YLM9ImYtto9li8Zlb8mYCUZGZfLK0MSd4QXqVzcV47kSOOtQLVM5KXpjR/zvEgc
+945XxLFXBvSKwqcNrmXjAa3PNbu7jIj1Ks5KFc9XlRhG8mya3ik7NKGG1DOXdsjt
+FesUyn4OyP5nxjHW+64l4A06zUZoEeeJgxoPNs31ZmoWmSkVUDP+cXJUBhkc5UnX
+YwShsw7EWzZI48Wmivo6yuqFPB1+VYyPk0iMRWctF3r31qSFrKYx+e3Juk/jUuUt
+Z6qqE1eKd+/loOgg8nzOqCwHKbvI4wugQYuEgu4ANkNV+/SLqpxlwy8s2XF0cpUg
+RoJOT37dr/n6zH2mdQHUhUuh4iQAX1fL34IDxuefFYA+bqx8ln8iOv16qIeOjyny
+wuqo0SYDMBjZBIHxUQ9T4Y6CZ/nyfb89v5FJEuMmH22bUy/KMgasWZ7sFhE7/31G
+E0FCWGtDsEIvNoAVEsDsSWHcYSvxNOaIMOtfvz8Ya09US3+fLIohbuDbXmeHflKo
+L1cjvhH/caUulhqtF6AMtlAV4sRcdxyZfcA8HkHpRJSnJe2IabLLowCESnlOgCgt
+RWvsTrSaglTL1/UeNe5aI01WYEwFb4N/ADtzUOqmYNpdxbLPwfQ3QazQ1co3SMXq
+h1nbiCjZXxQaMzEKNlxxPGYAmqpk6opZy6bgN+GorI5kjyrqGlkILJH0GdHM4EwF
+ZAL/SwjXdypHrl9gSjFxorL2dwFofmPTThgrujA0oD9X8ccQnDVzfcYKhgtJteFQ
+zaeNljAsfuUY2Sqyf5VxSwtlHrOOBNjVbi+RFg57znpXKSWbno3I4JimVaqR6Qly
+lE+bj1xIfrf/71FKj8EshthQhWBwjxf1eFg9lq3UEeuOEDIJH4ZcrBcYwLeVSmiZ
+i+tiHnfqeU8/sFAQFYVBtsDZhDYV9Cr2bYHYYDvf4tSo8jf0xI0YLQVw/8iobld2
+7rATD7ho9h6GE7UaU0OMePivGXJpK1If4IJUi6UCF+ibiILREehSBUmR9oE5jQrz
+GRL8zu4/8sP+mw9LA0sxL5DG0eX6x/lJ4VTMFAlUiJH5DWt5bW9zNke5rMnTrBmN
+spQ/vkC1W5YTH9RY5H6d5Sa1ft/OJbWqrbxAB5U73YCx4a18lb0r6Nkqb8JcYUCU
+FamldCh+SbP3xYt9Mn7COqEM6jyUNyjXW8zew8Ksm9Ii
+-----END ENCRYPTED PRIVATE KEY-----

fixtures/katello-certs-tool-ca/katello-default-ca.pwd

@@ -0,0 +1 @@
+WJiNgAHTJia2249gwxCGk9VT

fixtures/katello-certs-tool-ca/katello-server-ca.crt

@@ -0,0 +1,40 @@
+-----BEGIN CERTIFICATE-----
+MIIG/zCCBOegAwIBAgIUEJSPbzfROxOw3z7dxrx7JZ8DmvEwDQYJKoZIhvcNAQEL
+BQAwgYExCzAJBgNVBAYTAlVTMRcwFQYDVQQIDA5Ob3J0aCBDYXJvbGluYTEQMA4G
+A1UEBwwHUmFsZWlnaDEQMA4GA1UECgwHS2F0ZWxsbzEUMBIGA1UECwwLU29tZU9y
+Z1VuaXQxHzAdBgNVBAMMFmNlbnRvczgtNjQuZXhhbXBsZS5jb20wHhcNMjQwNTIw
+MjIzNTI5WhcNMzgwMTE3MjIzNTI5WjCBgTELMAkGA1UEBhMCVVMxFzAVBgNVBAgM
+Dk5vcnRoIENhcm9saW5hMRAwDgYDVQQHDAdSYWxlaWdoMRAwDgYDVQQKDAdLYXRl
+bGxvMRQwEgYDVQQLDAtTb21lT3JnVW5pdDEfMB0GA1UEAwwWY2VudG9zOC02NC5l
+eGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALaSYmvi
+t4ocOb2h71lqfCx/e/11I+uA9JIYvdYv3JIDgyXqqM6hLJJZU0rHEcVcE+dUDw2L
+UB2Sg+S1vXM4LhpBTKUvXpc6tlDFPNUszifIlk6+mOVu7T1ls070PWQbQ9oRyebV
+nlnXjb7ffObcVWGHZTci8kyAXwOjiDKQF2KqBBc3PpppuFNFw8wEASfCgCVerTBa
+ViFn6E6psikhe1j92cwPfJun/bVreNdoPNwsLJ6D6jm5sIpms6LdwEScRuweB3OG
+5vmsb/7m35yvv35jypI1o4PtwJxHxcDHphnC3d8iNrBZ8kS8XpCIIWtQI5M3Ofb8
+wvwKzyLt/r8mvI6GKm6/IwoK2k1nNGw22XUKdwWdAGgId4tdhXAfVuIUsvTmv9ce
+m4nhmf32r2GGnIVAOQy7ZuBTh/7zXsFgVd6xl/nA8vOUYNEzlY+uC/jv/jeFQSyG
+LcURzrsFEMya1Tl1S5UhIYI2LqCqywkF4EbY8VBijroX/EOK51Rf8i0A4GUS6E2i
+EvMnhNXXnmpFKx60stABYBRIuXzF0kOufuO2DPPpvyQ5dR24e6gGnND9o83lUh58
+mjuUwhCqnwEwg6N54HVas7nPG5lcLWPgcAxWnIHdmIeSgsrEVoRBUQUvqvX2iilw
+dSoKq9UiKsht1pQV2AspJ0VSxS0WbYcCwLihAgMBAAGjggFrMIIBZzAMBgNVHRME
+BTADAQH/MAsGA1UdDwQEAwIBpjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
+AwIwEQYJYIZIAYb4QgEBBAQDAgJEMDUGCWCGSAGG+EIBDQQoFiZLYXRlbGxvIFNT
+TCBUb29sIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUNlbGdCK5ZAa9
+N7gZPsS0FSO5t9kwgcEGA1UdIwSBuTCBtoAUNlbGdCK5ZAa9N7gZPsS0FSO5t9mh
+gYekgYQwgYExCzAJBgNVBAYTAlVTMRcwFQYDVQQIDA5Ob3J0aCBDYXJvbGluYTEQ
+MA4GA1UEBwwHUmFsZWlnaDEQMA4GA1UECgwHS2F0ZWxsbzEUMBIGA1UECwwLU29t
+ZU9yZ1VuaXQxHzAdBgNVBAMMFmNlbnRvczgtNjQuZXhhbXBsZS5jb22CFBCUj283
+0TsTsN8+3ca8eyWfA5rxMA0GCSqGSIb3DQEBCwUAA4ICAQBvhQKiEmKr9oGpgTQ3
+MHg+5iJsFyLL5IPN7JHp8tuFzX5+pHaLl4sgmNIOVxL1Ft4I0JkgPimFViqsJPAz
+trUl5mZBW1MchA7H7+Qi/ZCctpk0fi04WeM+O0tpm9OPzlGGL5mQekCDQ1S7p+3M
+xnk+rnIT6nmgqV5rg9cM+228Rd4cngU3HNsM8xx91UXKjz5eL9DIotl3iVU9wsQ1
+X1Pi6+qHMPp7JrXBYmqbxTCDupBWpgWYyb4uw63TO/MVQBjck9RLgx3++hR7WUnC
+VG0ONFPN41InSu+0EdA0fbM7zC3MjlwsX3WSPI39THRVQfyRrrglPMlt7bW8d5eb
+gILD/e0kn1J0OmFchj5v3eUWdbCMnKCelJkhlwDGpirRu+kXRKy0zFGDkR+z8kvz
+YBIdDEFyJ4qINAWNP4HHQkHUd/aDpHSbfAojVwEj1lsdHO4LJqpBp/LulBPm86D7
+hBj86kv7YqXn/vOlZ4iGAoeA94PXORABZdPIlfkLGTRbHRPp2BcT06piwB8hwaAL
+XrjWptfB3C1CFn81K86m6aBAkz83EYC+YkED23HVpUwpDEaViuDtUt74SfxuvW8H
+/W+sZzlezCgwdIpkuC9M64HyHPuIuIbu0zZVSeMHvHwEbRMJeq3rwOZsuPLDkT3K
+gxbEhBEPxtdiAzmH3W9+isXTng==
+-----END CERTIFICATE-----

manifests/apache.pp

@@ -59,7 +59,7 @@
   String $city = $certs::city,
   String $org = $certs::org,
   String $org_unit = $certs::org_unit,
-  String $expiration = $certs::expiration,
+  Variant[Integer, String] $expiration = $certs::expiration,
   Stdlib::Absolutepath $ca_key_password_file = $certs::ca_key_password_file,
   String $group = $certs::group,
 ) inherits certs {
@@ -71,7 +71,7 @@
 
   $apache_cert_path = "${certs::ssl_build_dir}/${hostname}/${apache_cert_name}"
 
-  if $server_cert {
+  if $generate {
     ensure_resource(
       'file',
       "${certs::ssl_build_dir}/${hostname}",
@@ -82,41 +82,47 @@
         'mode'   => '0750',
       }
     )
-    file { "${apache_cert_path}.crt":
-      ensure => file,
-      source => $server_cert,
-      owner  => 'root',
-      group  => 'root',
-      mode   => '0440',
-    }
-    file { "${apache_cert_path}.key":
-      ensure => file,
-      source => $server_key,
-      owner  => 'root',
-      group  => 'root',
-      mode   => '0440',
-    }
 
-    $require_cert = File["${apache_cert_path}.crt"]
-  } else {
-    cert { $apache_cert_name:
-      ensure        => present,
-      hostname      => $hostname,
-      cname         => $cname,
-      country       => $country,
-      state         => $state,
-      city          => $city,
-      org           => $org,
-      org_unit      => $org_unit,
-      expiration    => $expiration,
-      ca            => $certs::default_ca,
-      generate      => $generate,
-      regenerate    => $regenerate,
-      password_file => $ca_key_password_file,
-      build_dir     => $certs::ssl_build_dir,
-    }
+    if $server_cert {
+      file { "${apache_cert_path}.crt":
+        ensure => file,
+        source => $server_cert,
+        owner  => 'root',
+        group  => 'root',
+        mode   => '0440',
+      }
+      file { "${apache_cert_path}.key":
+        ensure => file,
+        source => $server_key,
+        owner  => 'root',
+        group  => 'root',
+        mode   => '0440',
+      }
+
+      $require_cert = File["${apache_cert_path}.crt"]
+    } else {
+      openssl::certificate::x509 { $apache_cert_name:
+        ensure         => present,
+        commonname     => $hostname,
+        country        => $country,
+        state          => $state,
+        locality       => $city,
+        organization   => $org,
+        unit           => $org_unit,
+        altnames       => $cname,
+        extkeyusage    => ['serverAuth', 'clientAuth'],
+        days           => $expiration,
+        base_dir       => "${certs::ssl_build_dir}/${hostname}",
+        key_size       => 4096,
+        force          => true,
+        encrypted      => false,
+        ca             => "${certs::ssl_build_dir}/${certs::default_ca_name}.crt",
+        cakey          => "${certs::ssl_build_dir}/${certs::default_ca_name}.key",
+        cakey_password => $certs::ca_key_password,
+      }
 
-    $require_cert = Cert[$apache_cert_name]
+      $require_cert = X509_cert["${apache_cert_path}.crt"]
+    }
   }
 
   if $deploy {

manifests/ca.pp

@@ -30,19 +30,35 @@
     group     => 'root',
     mode      => '0400',
     show_diff => false,
-  } ~>
-  ca { $default_ca_name:
-    ensure        => present,
-    common_name   => $ca_common_name,
-    country       => $country,
-    state         => $state,
-    city          => $city,
-    org           => $org,
-    org_unit      => $org_unit,
-    expiration    => $ca_expiration,
-    generate      => $generate,
-    password_file => $ca_key_password_file,
-    build_dir     => $certs::ssl_build_dir,
+  }
+
+  openssl::config { "${certs::ssl_build_dir}/ca.cnf":
+    ensure            => 'present',
+    commonname        => $certs::node_fqdn,
+    country           => $country,
+    state             => $state,
+    locality          => $city,
+    organization      => $org,
+    unit              => $org_unit,
+    default_keyfile   => "${default_ca_name}.key",
+    basicconstraints  => ['CA:true'],
+    keyusages         => ['digitalSignature', 'keyEncipherment', 'keyCertSign', 'cRLSign'],
+    extendedkeyusages => ['serverAuth', 'clientAuth'],
+  }
+
+  ssl_pkey { "${certs::ssl_build_dir}/${default_ca_name}.key":
+    ensure   => 'present',
+    password => $ca_key_password,
+    size     => '4096',
+  }
+
+  x509_cert { "${certs::ssl_build_dir}/${default_ca_name}.crt":
+    ensure      => 'present',
+    private_key => "${certs::ssl_build_dir}/${default_ca_name}.key",
+    days        => $ca_expiration,
+    template    => "${certs::ssl_build_dir}/ca.cnf",
+    password    => $ca_key_password,
+    require     => File["${certs::ssl_build_dir}/ca.cnf"],
   }
 
   if $certs::server_ca_cert {
@@ -55,37 +71,32 @@
     }
   } else {
     file { $server_ca_path:
-      ensure => file,
-      source => "${certs::ssl_build_dir}/${default_ca_name}.crt",
-      owner  => 'root',
-      group  => 'root',
-      mode   => '0644',
-    }
-  }
-
-  if $generate {
-    file { "${certs::ssl_build_dir}/KATELLO-TRUSTED-SSL-CERT":
-      ensure  => link,
-      target  => $server_ca_path,
-      require => File[$server_ca_path],
+      ensure  => file,
+      source  => "${certs::ssl_build_dir}/${default_ca_name}.crt",
+      owner   => 'root',
+      group   => 'root',
+      mode    => '0644',
+      require => X509_cert["${certs::ssl_build_dir}/${default_ca_name}.crt"],
     }
   }
 
   if $deploy {
     file { $certs::katello_default_ca_cert:
-      ensure => file,
-      source => "${certs::ssl_build_dir}/${default_ca_name}.crt",
-      owner  => 'root',
-      group  => 'root',
-      mode   => '0644',
+      ensure  => file,
+      source  => "${certs::ssl_build_dir}/${default_ca_name}.crt",
+      owner   => 'root',
+      group   => 'root',
+      mode    => '0644',
+      require => X509_cert["${certs::ssl_build_dir}/${default_ca_name}.crt"],
     }
 
     file { $katello_server_ca_cert:
-      ensure => file,
-      source => $server_ca_path,
-      owner  => $owner,
-      group  => $group,
-      mode   => '0644',
+      ensure  => file,
+      source  => $server_ca_path,
+      owner   => $owner,
+      group   => $group,
+      mode    => '0644',
+      require => File[$server_ca_path],
     }
   }
 }