Venafi Chef cookbook sample

This recipe is provided “as is" and Venafi makes no warranties or representations of any kind with respect to it. VENAFI DOES NOT MAKE, AND HEREBY DISCLAIMS, ANY AND ALL EXPRESS AND/OR IMPLIED WARRANTIES WITH RESPECT TO THIS RECIPE, INCLUDING, BUT NOT LIMITED TO, IMPLIED OR STATUTORY WARRANTIES OF MERCHANTIBILITY, INFRINGEMENT OR FITNESS FOR A PARTICULAR PURPOSE.   In no event will Venafi be liable for any incidental, special, direct, indirect, or consequential damages resulting from your use of or reliance on this recipe.

This is an example Chef cookbook that can be used with Venafi TPP to provision certs from TPP using Chef.

It assumes you have Chef (solo) installed and working.

It has a dependency on the “webhooks” ( cookbook that can be installed using the following command:

knife cookbook site install web hooks

After installing the webhooks cookbook, unzip the file into the Chef cookbooks directory.

You can run the cookbook using the following commands. Note the JSON formatted string that can be used to override the values for the attributes.

echo '{"tpp": {"certificate_dn": "\\VED\\Policy\\carl\\test-202", "policy_dn": "\\VED\\Policy\\carl\\", "object_name":"carl-202" } }' | sudo chef-client --local -j /dev/stdin -o recipe['venafi_tpp::tpp_authenticate'],recipe['venafi_tpp::request_certificate'],recipe['venafi_tpp::retrieve_certificate']

In this example the recipes have been chained as follows:

  1. tpp_authenticate - Authenticate to TPP and get a temporary token for accessing the API
  2. request_certificate - Request a new certificate from TPP, if certificate already exists it will be renewed
  3. retrieve_certificate - Retrieve the new certificate. Since the certificate request/retrieve process is asynchronous, this step will check to see if the certificate is ready X (configured using attributes) times before retrieving it. If the cert is not ready it will give up after trying X (configured using attributes) times.

The cookbook currently downloads a P12 file into the directory specified by the “certificate_file_path” attribute.

The certificate can be revoked using the “revoke_certificate” recipe.

Was this article helpful?
0 out of 1 found this helpful