%set %%cas = []
%for %%service in %%services
  %if %%service.activate is True and %%hasattr(%%service, 'certificates')
    %for %%certificate in %%service.certificates
      %if "owner" in %%certificate
        %set %%owner = %%certificate['owner']
      %else
        %set %%owner = 'root'
      %end if
      %if %%certificate['format'] == 'cert_key'
        %if %%isinstance(%%certificate['name'], list)
          %for %%cert in %%certificate['name']
C %%tls_cert_directory/%%{cert}.crt 444 root root - /usr/local/lib%%tls_cert_directory/%%{cert}.crt
C %%tls_key_directory/%%{cert}.key 400 %%owner root - /usr/local/lib%%tls_key_directory/%%{cert}.key
          %end for
        %else
C %%tls_cert_directory/%%{certificate['name']}.crt 444 root root - /usr/local/lib%%tls_cert_directory/%%{certificate['name']}.crt
C %%tls_key_directory/%%{certificate['name']}.key 400 %%owner root - /usr/local/lib%%tls_key_directory/%%{certificate['name']}.key
        %end if
      %else
        %if %%isinstance(%%certificate['name'], list)
          %for %%cert in %%certificate['name']
C %%tls_key_directory/%%{cert}.pem 400 %%owner root - /usr/local/lib%%tls_key_directory/%%{cert}.pem
          %end for
        %else
C %%tls_key_directory/%%{certificate['name']}.pem 400 %%owner root - /usr/local/lib%%tls_key_directory/%%{certificate['name']}.pem
        %end if
      %end if
      %if %%certificate['authority'] not in %%cas and ('provider' not in %%certificate or %%certificate['provider'] == 'autosigne')
%%cas.append(%%certificate['authority'])%slurp
C %%tls_ca_directory/%%{certificate['authority']}.crt 444 root root - /usr/local/lib%%tls_ca_directory/%%{certificate['authority']}.crt
      %end if
    %end for
  %end if
%end for