salt-master/base/pki/host.sls

# -*- coding: utf-8 -*-
# vim: ft=yaml
---

/etc/pki/private.key:
  x509.private_key_managed:
    - bits: 4096
    - backup: True
    - require:
      - file: /etc/pki

/etc/pki/public.crt:
  x509.certificate_managed:
    - ca_server: tumor.chaos 
    - signing_policy: host
    - public_key: /etc/pki/private.key
    - CN: {{ grains['fqdn'] }} 
    - days_remaining: 90
    - backup: True
    - require:
      - x509: /etc/pki/private.key
      
{% for cn in salt['pillar.get']('pki:cns',{}) %}

/etc/pki/{{ cn }}.crt:
  x509.certificate_managed:
    - ca_server: tumor.chaos 
    - signing_policy: host
    - public_key: /etc/pki/private.key
    - CN: {{ cn }} 
    - days_remaining: 90
    - backup: False
    - require:
      - x509: /etc/pki/private.key
{% endfor %}