diff --git a/README.md b/README.md
index 1dad63bb58cd9c84343b300a35a7306ad3559342..5d105f7f14be1ec622236a1d40d00fe23933057b 100644
--- a/README.md
+++ b/README.md
@@ -9,6 +9,7 @@
* [`freeradius`](#freeradius)
* [Resources](#resources)
* [`freeradius::attr`](#freeradiusattr)
+ * [`freeradius::cert`](#freeradiuscert)
* [`freeradius::client`](#freeradiusclient)
* [`freeradius::config`](#freeradiusconfig)
* [`freeradius::dictionary`](#freeradiusdictionary)
@@ -110,6 +111,21 @@ freeradius::attr { 'eduroamlocal':
}
```
+#### `freeradius::cert`
+
+Install certificates as provided. These are installed in `/etc/raddb/certs`
+
+```puppet
+freeradius::cert { 'mycert.pem':
+ source => 'puppet:///modules/site_freeradius/mycert.pem',
+ type => 'key',
+}
+```
+
+##### `type`
+
+Set file permissions on the installed certificate differently depending on whether this is a private key or a public certificate. Note that the default is to treat the file as a private key and remove world-readable privileges. Allowable values: `cert`, `key`. Default: `key`.
+
#### `freeradius::client`
Define RADIUS clients as seen in `clients.conf`
diff --git a/manifests/cert.pp b/manifests/cert.pp
new file mode 100644
index 0000000000000000000000000000000000000000..97792691c233269ea7668748f224370889e00669
--- /dev/null
+++ b/manifests/cert.pp
@@ -0,0 +1,23 @@
+# Install FreeRADIUS certificates
+define freeradius::cert (
+ $source,
+ $type = 'key',
+) {
+ $fr_package = $::freeradius::params::fr_package
+ $fr_service = $::freeradius::params::fr_service
+ $fr_basepath = $::freeradius::params::fr_basepath
+ $fr_group = $::freeradius::params::fr_group
+
+ file { "${fr_basepath}/certs/${name}":
+ mode => $type ? {
+ 'key' => '0640',
+ 'cert' => '0644',
+ default => '0644',
+ },
+ owner => 'root',
+ group => $fr_group,
+ source => $source,
+ require => [File["${fr_basepath}/certs"], Package[$fr_package], Group[$fr_group]],
+ notify => Service[$fr_service],
+ }
+}