Certificate cookbook

Cookbook Version (opens in a new tab) CI State (opens in a new tab) OpenCollective OpenCollective License (opens in a new tab)


This recipe automates the common task of managing x509 certificates and keys from encrypted Data Bags. This cookbook provides a flexible and reusable resource to set up certificates from various sources.

Warning about Vault mode

Pulling data from Chef Vault is not supported when using chef-solo, and will result in a failure condition.

Testing with encrypted data_bags

The stub files in test/integration are for testing only and should not be used in production. These files include a self-signed "snake oil" certificate/key and an encrypted_data_bag_secret file which are not secure to use beyond testing.


Prepping certificate data

The certificate strings in the data bag need all newlines replaced with literal \ns. This conversion can be done with a Ruby one-liner:

ruby -e 'p' <filename>

This will turn the input file from the normal certificate format:


Into this:


Add the converted certificate / chain / key to the desired databag, attributes, or Chef Vault store:

  "id": "example",
  "cert": "-----BEGIN CERTIFICATE-----\nCertificate Here...",
  "key": "-----BEGIN PRIVATE KEY\nPrivate Key Here...",
  "chain": "-----BEGIN CERTIFICATE-----\nCA Root Chain Here..."

The chain entry may be optional if the CA's root chain is already trusted by the server.


This cookbook comes with three simple example recipes for using the certificate_manage LWRP.


Creates certificates from the data bag item certificates/$HOSTNAME.


Same as the default recipe, except for the data bag item name is wildcard instead of the node hostname.

The resulting files will be named wildcard.pem (cert), wildcard.key (key), and wildcard-bundle.crt (CA Root chain)


Defines certificate_manage resources dynamically from node attributes.

node['certificate'] = [
    'foo' => {
      data_bag_type: 'none',
      plaintext_cert: 'plain_cert',
      plaintext_key: 'plain_key',
      plaintext_chain: 'plain_chain',
  {'test' => {}},
certificate_manage 'foo' do
  data_bag_type 'none'
  plaintext_cert 'plain_cert'
  plaintext_key 'plain_key'
  plaintext_chain 'plain_chain'
certificate_manage 'test'



Sets up certificates from data bags or Chef Vault stores.

data_bagcertificateName of the data bag to look in
data_bag_secretChef::Config['encrypted_data_bag_secret']Path to the file with the data bag secret
data_bag_typeencryptedWhere to get certificate data from: encrypted or unencrypted data bag, vault for Chef Vault, or none for plaintext properties
search_idResource nameName of the data bag item to use
plaintext_certManual cert input for none data bag type
plaintext_keyManual key input for none data bag type
plaintext_chainManual chain input for none data bag type
cert_path/etc/pki/tls on RHEL, else /etc/sslDirectory to place certificates in
create_subfolderstrueWhether to use private/ and certs/ subdirectories under cert_path
cert_file$FQDN.pemBasename of the certificate
key_file$FQDN.keyBasename of the private key
chain_file$HOSTNAME-bundle.pemBasename of the chain certificate
nginx_certfalseWhether to create a combined cert/chain certificate for use with Nginx instead of separate certs
combined_filefalseWhether to combine the cert, chain, and key into a single file
ownerrootFile owner of the certificates
grouprootFile group of the certificates
cookbookcertificateCookbook containing the certificate file template.


The following example will place certificates defined in the certificates/mail data bag item under /etc/postfix/ssl owned by postfix.

certificate_manage "mail" do
  cert_path "/etc/postfix/ssl"
  owner "postfix"
  group "postfix"

.certificate, .key, .chain helper method usage

Some helper methods are exposed for retrieving key/certificate paths in other recipes:

  • .certificate - The final path of the certificate file. i.e. #{cert_path}/certs/#{cert_file}
  • .key - The final path of the key file. i.e. #{cert_path}/private/#{key_file}
  • .chain - The final path of the chain file. i.e. #{cert_path}/certs/#{chain_file}
# where node.fqdn = ''
tld = certificate_manage 'top_level_domain'
tld_cert_location = tld.certificate # => /etc/ssl/certs/
# where node.fqdn = ''
sbd = certificate_manage 'sub_domain' do
  cert_path '/bobs/emporium'
  create_subfolders false
sbd_cert_location = sbd.key # => /bobs/emporium/

Setting FQDN during the converge

If the FQDN of the node is updated during converge, be sure to use lazy attribute evaluation (opens in a new tab) to ensure node['fqdn'] refers to the updated value.

certificate_manage "wildcard" do
  cert_file lazy { "#{node['fqdn']}.pem" }
  key_file lazy { "#{node['fqdn']}.key" }
  chain_file lazy { "#{node['fqdn']}-bundle.crt" }

Using the none data bag type

The none option does not use a data bag, requiring the certificate, key, and/or chain to be passed directly to the resource. This allows you to use the certificate_manage resource for all of your certificate needs, even if the certificate data is stored in an unsupported location.

certificate_manage "fqdn-none-plaintext" do
  cert_file lazy { "#{node['fqdn']}.pem" }
  key_file lazy { "#{node['fqdn']}.key" }
  chain_file lazy { "#{node['fqdn']}-bundle.crt" }
  data_bag_type 'none'
  plaintext_cert "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----\n\n"
  plaintext_key "-----BEGIN RSA PRIVATE KEY-----\n...\n-----END RSA PRIVATE KEY-----\n\n",
  plaintext_chain "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----\n\n",


This project exists thanks to all the people who contribute. (opens in a new tab)


Thank you to all our backers!


Support this project by becoming a sponsor. Your logo will show up here with a link to your website.