From f60cbb6117beb50b09231093373ce7a6c694f8c5 Mon Sep 17 00:00:00 2001
From: do <do@maketank.net>
Date: Tue, 16 Feb 2021 17:05:41 +0100
Subject: [PATCH] distribute intca to /etc/ssl/certs also

---
 base/pki/cert.sls              | 11 +++++++++++
 base/pki/signing_policies.conf |  3 ++-
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/base/pki/cert.sls b/base/pki/cert.sls
index 6c9677c..a4c2beb 100644
--- a/base/pki/cert.sls
+++ b/base/pki/cert.sls
@@ -8,3 +8,14 @@
 /etc/pki/intca.crt:
   x509.pem_managed:
     - text: {{ salt['mine.get']('tumor.chaos', 'x509.get_pem_entries')['tumor.chaos']['/etc/pki/ca.crt']|replace('\n', '') }}
+
+/etc/ssl/certs/intca.crt:
+  x509.pem_managed:
+    - text: {{ salt['mine.get']('tumor.chaos', 'x509.get_pem_entries')['tumor.chaos']['/etc/pki/ca.crt']|replace('\n', '') }}
+
+    
+/usr/sbin/update-ca-certificates:
+  cmd.run:
+    - onchanges:
+      - x509: /etc/ssl/certs/intca.crt
+    
diff --git a/base/pki/signing_policies.conf b/base/pki/signing_policies.conf
index 63dec1d..7e21511 100644
--- a/base/pki/signing_policies.conf
+++ b/base/pki/signing_policies.conf
@@ -11,7 +11,8 @@ x509_signing_policies:
     - ST: Berlin
     - L: Berlin
     - basicConstraints: "critical CA:false"
-    - keyUsage: "nonRepudiation, digitalSignature, keyEncipherment"
+    - keyUsage: "nonRepudiation, digitalSignature, keyEncipherment, keyAgreement"
+    - extendedKeyUsage: "serverAuth, clientAuth"
     - subjectKeyIdentifier: hash
     - authorityKeyIdentifier: keyid,issuer:always
     - days_valid: 365