puppet-basicca is a puppet module designed to automate the process of creating SSL certificates, particularly self-signed certificates. I also use it to create certificate signing requests (CSRs) to submit to the authorities who sign my certificates (at time of writing, StartCOM Namecheap1 ).

The readme in the Git repo has some detailed usage examples, but simply:

basicca::certrequest{ $fqdn:
  keypath => "/etc/ssl/${::fqdn}.key",
  csrpath => "/etc/ssl/${::fqdn}.csr",
  subject => {
    'CN' => $::fqdn,

will produce a signing request for the FQDN of the node the manifest is running on


  1. And only when I need a cert for a year - like this blog for instance, because replacing a cert on Cloudfront in a pain, and Amazon didn’t have their own CA when I set things up. Most of my things now use Lets Encrypt certs