Forge Home


Manage SSL certificates and keys


1,143 latest version

5.0 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 2.0.0 (latest)
  • 1.0.0
released Sep 17th 2021
This version is compatible with:
  • Puppet Enterprise 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x
  • Puppet >= 6.1.0 < 8.0.0
  • , , , , , , , , ,

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'ploperations-ssl', '2.0.0'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add ploperations-ssl
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install ploperations-ssl --version 2.0.0

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.



ploperations/ssl — version 2.0.0 Sep 17th 2021


Build Status

The primary purpose of this module is to install certificates and keys in a few common formats.

Storing certificates and keys

This requires that certificates and keys are stored separately. Keys should be stored in Hiera, while files must be stored in the files/ directory of one of your profiles.

The primary certificate must be named "name.crt", and the intermediate certificate must be name "name_inter.crt". For example, if you store your files in profile::ssl:


Set the profile to use in Hiera, or by setting the cert_source parameter directly on the ssl class. The value should be in the same format as the file() function expects, e.g. 'profile/ssl'.

The private keys for your certificates go into Hiera as entries in the ssl::keys hash. We recommend encrypting them with [Hiera eyaml][]. To continue with the example from above:

ssl::cert_source: 'profile/ssl'
  '': ENC[PKCS7,MIIH...
  '': ENC[PKCS7,MIIH...

Deploying certificates and keys


This is the most generic resource. It stores keys in the default global certificate and key directories for your OS.

On Debian, the cert would be deployed as follows:


The _combined.crt file is a concatenation of the primary certificate followed by the intermediate certificate. This is the format used by NGINX and a variety of other applications.


This combines certificates with their key in the format expected by HAProxy. By default, it puts them in /etc/haproxy/certs.d/${key_name}.crt.

Additional usage info

This module is documented via pdk bundle exec puppet strings generate --format markdown. Please see for more info.

Changelog is generated prior to each release via pdk bundle exec rake changelog. This process relies on labels that are applied to each pull request.


Pull requests are welcome!