I’m going to install a couple of services – SMTP (exim) and IMAP (dovecot) – and I want to share the SSL key and certificate between them. Having separate certificates for each is additional hassle when it comes to updating them.

Thus I’ve got a sslcerts.sls file to manage the certificate installation which I can share between exim.sls and dovecot.sls.

srv/salt/sslcerts.sls

# SSL cert and key

# Ensure the group ssl-cert exists
ssl-cert:
  group.present:
    - system: True

# Ensure that ssl-cert group has access to the directory
/etc/ssl/private:
  file.directory:
    - user: root
    - group: ssl-cert
    - mode: '0750' # -rwxr-x---

# Manage the certificate
/etc/ssl/certs/info.river-innovations.com.cert:
  file.managed:
    - source: salt://sslcerts/info.river-innovations.com.cert
    - user: root
    - group: root
    - mode: '0644' # rw-r--r--

# Manage the key
/etc/ssl/private/info.river-innovations.com.key:
  file.managed:
    - source: salt://sslcerts/info.river-innovations.com.key
    - user: root
    - group: ssl-cert
    - mode: '0640' # rw-r-----

The key and certificate are placed into the /etc/ssl directory structure which is where Debian puts its own keys and certificates. I make sure that the keys can be accessed by members of the ssl-cert group. Certificates can be read by anyone.

This .sls file isn’t included directly in top.sls – instead it will be referenced from the exim.sls and dovecot.sls which need access to the certificates.