diff --git a/manifests/cabundle.pp b/manifests/cabundle.pp
new file mode 100644
index 0000000000000000000000000000000000000000..ac08082ca73267114d5418c913ead19d72cd9f1f
--- /dev/null
+++ b/manifests/cabundle.pp
@@ -0,0 +1,40 @@
+# Copyright © 2015-2020 National Supercomputer Centre,
+#                       Linköping University, Sweden
+# Licensed under the GNU LGPL v3+; see the README file for more information.
+
+
+/*
+ * Manage a CA bundle.
+ *
+ * Install the CA certificates in $calist into <NAME>-cabundle.pem
+ * under /etc/pki/tls/certs.  Each element in $calist can be one of
+ *  - A local file name on the client (absolute path).
+ *  - A puppet: URL.
+ *  - The special form "gridca:<CANAME>" (e.g. "gridca:NorduGrid").
+ *    This installs that CA package, using x509::gridca, and uses the
+ *    certificate file from there.  (Note that this will clash if the CA
+ *    package is managed elsewhere in your manifests.)
+ *  - A filename under $source (or $x509certs::config::hostcert_source
+ *    if not specified), without any slashes or colons in it. The suffix
+ *    ".pem" will be added automatically.
+ * Each such source can itself contain multiple certificates.
+ */
+
+define x509certs::cabundle($calist=[], $owner='root', $group='root',
+			   $source='', $ensure='present')
+{
+    include x509certs
+
+    concat::file {
+	"${x509certs::pki_certdir}/${name}-cabundle.pem":
+	    owner => $owner, group => $group, mode => '0444',
+	    ensure => $ensure;
+    }
+    if $ensure == 'present' {
+	$x_calist = regsubst($calist, '^', "${name}: ")
+	x509certs::cabundle::cacert {
+	    $x_calist:
+		source => $source;
+	}
+    }
+}
diff --git a/manifests/cabundle/cacert.pp b/manifests/cabundle/cacert.pp
new file mode 100644
index 0000000000000000000000000000000000000000..b81890027c6006f334a0c829823ca6e5d72a63f6
--- /dev/null
+++ b/manifests/cabundle/cacert.pp
@@ -0,0 +1,76 @@
+# Copyright © 2015-2020 National Supercomputer Centre,
+#                       Linköping University, Sweden
+# Licensed under the GNU LGPL v3+; see the README file for more information.
+
+
+/*
+ * Helper for x509certs::cabundle.
+ *
+ * The resource name is used for specifying both the bundle where the
+ * CA certificate is stored, and the source of the CA certificate.  It
+ * should be on the form
+ *     BUNDLENAME ": " CASOURCE
+ * The actual bundle file will be <BUNDLENAME>-cabundle.pem under
+ * $x509certs::pki_certdir.  See the documentation about the calist
+ * parameter of x509certs::cabundle for information about what
+ * CASOURCE can be.
+ *
+ * Mostly intended for internal use in the x509certs module, but can
+ * possibly be useful for users as well, although the API isn't very
+ * nice to use.
+ */
+define x509certs::cabundle::cacert($source='', $ensure='present')
+{
+    include x509certs
+    include x509certs::config
+
+    $sourcebase = $source ? {
+	''	=> $x509certs::config::hostcert_source,
+	default	=> $source
+    }
+
+    if $name =~ /^(.*): +(.*)$/ {
+	$bundlename = $1
+	$casource = $2
+    } else {
+	fail("X509certs::Cabundle::Cacert[${title}]:",
+	     "Illegal name, no // separator")
+    }
+    $bundlefile = "${x509certs::pki_certdir}/${bundlename}-cabundle.pem"
+    $partname = regsubst($casource, '/', '_', 'G')
+    $bundle_partfile = "${bundlefile}/${partname}"
+
+    case $ensure
+    {
+	'absent': {
+	}
+	'present': {
+	    if $casource =~ /^gridca:(.*)/ {
+		$caname = $1
+		x509certs::gridca {
+		    $caname:
+			ensure => 'present';
+		}
+		concat::part {
+		    $bundle_partfile:
+			source => "${x509certs::grid_cadir}/${caname}.pem",
+			require => X509certs::Gridca[$caname];
+		}
+	    } elsif $casource !~ /.*[\/:].*/ {
+		concat::part {
+		    $bundle_partfile:
+			source => "${sourcebase}/${casource}.pem";
+		}
+	    } else {
+		concat::part {
+		    $bundle_partfile:
+			source => $casource;
+		}
+	    }
+	}
+	default: {
+	    fail("X509certs::Cabundle::Cacert[${title}]:",
+		 "Bad parameter ensure, ${ensure}")
+	}
+    }
+}
diff --git a/manifests/config.pp b/manifests/config.pp
new file mode 100644
index 0000000000000000000000000000000000000000..423a1186220a18b142c6fda243897976d23f6e53
--- /dev/null
+++ b/manifests/config.pp
@@ -0,0 +1,25 @@
+# Copyright © 2015-2020 National Supercomputer Centre,
+#                       Linköping University, Sweden
+# Licensed under the GNU LGPL v3+; see the README file for more information.
+
+
+/*
+ * Configuration of the x509certs module.
+ *
+ * Users of this module must instantiate this class with relevant
+ * parameters.
+ *
+ * NOTE!  This replaces the old x509certs::siteconfig class, which
+ * users previously were expected to define themselves.
+ */
+class x509certs::config(
+    # Source directory or Puppet URL where host certificates can be
+    # found.  Typically a puppet: URL that expands to a client-private
+    # directory on the Puppet master (i.e. one using %h or %H in the
+    # path in fileserver.conf).
+    #
+    $hostcert_source,
+)
+{
+    # Nothing inside this class
+}
diff --git a/manifests/egi/lcg_cas.pp b/manifests/egi/lcg_cas.pp
new file mode 100644
index 0000000000000000000000000000000000000000..0b10a2a762b4c513a07932f8c36ddece237b4c5e
--- /dev/null
+++ b/manifests/egi/lcg_cas.pp
@@ -0,0 +1,21 @@
+# Copyright © 2015-2020 National Supercomputer Centre,
+#                       Linköping University, Sweden
+# Licensed under the GNU LGPL v3+; see the README file for more information.
+
+
+/*
+ * Install the IGTF CA certificates for all CA:s in the LHC Compute Grid.
+ */
+
+class x509certs::egi::lcg_cas
+{
+    include x509certs::egi::trustanchors
+    include x509certs::fetchcrl
+
+    package {
+	[ 'ca-policy-egi-core', 'ca-policy-lcg' ]:
+	    ensure => installed,
+	    require => Class['x509certs::egi::trustanchors'],
+	    notify => Exec['x509certs::fetchcrl::initial'];
+    }
+}
diff --git a/manifests/egi/trustanchors.pp b/manifests/egi/trustanchors.pp
new file mode 100644
index 0000000000000000000000000000000000000000..29e44e4a355a99ff5156935300a309f2f802347d
--- /dev/null
+++ b/manifests/egi/trustanchors.pp
@@ -0,0 +1,28 @@
+# Copyright © 2015-2020 National Supercomputer Centre,
+#                       Linköping University, Sweden
+# Licensed under the GNU LGPL v3+; see the README file for more information.
+
+
+/*
+ * Configure the EGI trust anchors Yum repository, for CA certificates
+ * in the International Grid Trust Federation (IGTF).
+ *
+ * Note that packages for IGTF CAs also exists in e.g. NorduGrid repos,
+ * so we set a low priority (i.e. preferred over other repos), as this
+ * repo only holds CA packages and nothing else.
+ */
+
+class x509certs::egi::trustanchors
+{
+    $urlbase = 'http://repository.egi.eu/sw/production/cas/1'
+
+    yumrepo {
+	'egi-trustanchors':
+	    descr    => 'EGI Trust Anchors',
+	    baseurl  => "${urlbase}/current",
+	    gpgkey   => "${urlbase}/GPG-KEY-EUGridPMA-RPM-3",
+	    priority => 10,
+	    enabled  => 1,
+	    gpgcheck => 1;
+    }
+}
diff --git a/manifests/fetchcrl.pp b/manifests/fetchcrl.pp
new file mode 100644
index 0000000000000000000000000000000000000000..1c9b60fc41a63179e4b6647e46bd6e7ae798b1ff
--- /dev/null
+++ b/manifests/fetchcrl.pp
@@ -0,0 +1,56 @@
+# Copyright © 2015-2020 National Supercomputer Centre,
+#                       Linköping University, Sweden
+# Licensed under the GNU LGPL v3+; see the README file for more information.
+
+
+/*
+ * Make sure the fetch-crl service is installed and running, to download
+ * updated revocation lists periodically.
+ */
+
+class x509certs::fetchcrl
+{
+    # Install Perl modules needed for fetch-crl to support HTTPS
+    case "${::operatingsystem}:${::operatingsystemrelease}"
+    {
+	/^(CentOS|RedHat|Scientific):(6)(\.[^:]+)?$/: {
+	    package {
+		'perl-IO-Socket-SSL':
+		    ensure => installed, before => Package['fetch-crl'],
+		    notify => Exec['x509certs::fetchcrl::initial'];
+	    }
+	}
+	/^(CentOS|RedHat|Scientific):(7)(\.[^:]+)?$/: {
+	    package {
+		'perl-LWP-Protocol-https':
+		    ensure => installed, before => Package['fetch-crl'],
+		    notify => Exec['x509certs::fetchcrl::initial'];
+	    }
+	}
+	default: {
+	    fail("X509certs::Fetchcrl: Unsupported operating system")
+	}
+    }
+
+    package {
+	'fetch-crl':
+	    ensure => installed,
+	    notify => Exec['x509certs::fetchcrl::initial'];
+	'nordugrid-arc-ca-utils':
+	    # Obsolete; now just an empty package depending on fetch-crl.
+	    ensure => absent;
+    }
+    service {
+	'fetch-crl-cron':
+	    enable => true, ensure => running,
+	    require => Package['fetch-crl'];
+	'fetch-crl-boot':
+	    enable => false,
+	    require => Package['fetch-crl'];
+    }
+    exec {
+	'x509certs::fetchcrl::initial':
+	    command => '/usr/sbin/fetch-crl -p 16',
+	    refreshonly => true;
+    }
+}
diff --git a/manifests/grid_security_dir.pp b/manifests/grid_security_dir.pp
new file mode 100644
index 0000000000000000000000000000000000000000..0528f9b953e9868d3b488522fc8bf0a017e681ca
--- /dev/null
+++ b/manifests/grid_security_dir.pp
@@ -0,0 +1,18 @@
+# Copyright © 2015-2020 National Supercomputer Centre,
+#                       Linköping University, Sweden
+# Licensed under the GNU LGPL v3+; see the README file for more information.
+
+
+/*
+ * Helper class, to make sure the /etc/grid-security directory exists.
+ */
+class x509certs::grid_security_dir
+{
+    include x509certs
+
+    file {
+	$x509certs::grid_secdir:
+	    ensure => directory,
+	    owner => 'root', group => 'root', mode => '0755';
+    }
+}
diff --git a/manifests/gridca.pp b/manifests/gridca.pp
new file mode 100644
index 0000000000000000000000000000000000000000..ad957579fe469c0251b707a7152af7dfda89fb27
--- /dev/null
+++ b/manifests/gridca.pp
@@ -0,0 +1,35 @@
+# Copyright © 2015-2020 National Supercomputer Centre,
+#                       Linköping University, Sweden
+# Licensed under the GNU LGPL v3+; see the README file for more information.
+
+
+/*
+ * Manage a grid CA certificate.
+ *
+ * These are assumed to be available as (RPM) packages name "ca_<NAME>",
+ * that provide the PEM file and any extra metadata files needed by the
+ * WLCG and EGI grids, including CRL URLs for fetch-crl.
+ *
+ * Note that configuring a repository where these CA packages
+ * can be found must be done separately, e.g. by using the
+ * x509certs::egi::trustanchors class.
+ */
+
+define x509certs::gridca($ensure='present')
+{
+    include x509certs::fetchcrl
+
+    case $ensure {
+	'present', 'absent': {
+	}
+	default: {
+	    fail("X509certs::Gridca[${title}]:",
+		 "Bad parameter ensure, ``${ensure}''")
+	}
+    }
+    package {
+	"ca_${name}":
+	    ensure => $ensure,
+	    notify => Exec['x509certs::fetchcrl::initial'];
+    }
+}
diff --git a/manifests/hostcert/combinechain.pp b/manifests/hostcert/combinechain.pp
new file mode 100644
index 0000000000000000000000000000000000000000..57fea6fb066d66223f40548c618da910af15379a
--- /dev/null
+++ b/manifests/hostcert/combinechain.pp
@@ -0,0 +1,51 @@
+# Copyright © 2015-2020 National Supercomputer Centre,
+#                       Linköping University, Sweden
+# Licensed under the GNU LGPL v3+; see the README file for more information.
+
+
+/*
+ * Install host certificate and CA chain in one file, and key in another.
+ *
+ * The certificate and CA chain will be installed in the same file
+ * under /etc/pki/tls/certs in <NAME>-cert.pem.  The private key will be
+ * in a separate file <NAME>-key.pem under /etc/pki/tls/private, readable
+ * only by $owner and $group.
+ *
+ * The certificate, private key and CA chain will be loaded from
+ * separate files using the same logic as x509certs::hostcert::separate.
+ *
+ * This format is wanted by some software, e.g. Postfix and Dovecot.
+ */
+
+define x509certs::hostcert::combinechain($owner='root', $group='root',
+					 $sourcename='', $source='',
+					 $ensure='present')
+{
+    include x509certs
+    include x509certs::config
+
+    $sourcebase = $source ? {
+	''	=> $x509certs::config::hostcert_source,
+	default	=> $source
+    }
+    $srcname = $sourcename ? { '' => $name, default => $sourcename }
+
+    concat::file {
+	"${x509certs::pki_certdir}/${name}-cert.pem":
+	    ensure => $ensure,
+	    owner => $owner, group => $group, mode => '0444';
+    }
+    concat::part {
+	"${x509certs::pki_certdir}/${name}-cert.pem/01-cert.pem":
+	    source => "${sourcebase}/${srcname}-cert.pem", ensure => $ensure;
+	"${x509certs::pki_certdir}/${name}-cert.pem/02-chain.pem":
+	    source => "${sourcebase}/${srcname}-chain.pem", ensure => $ensure;
+    }
+
+    file {
+	"${x509certs::pki_keydir}/${name}-key.pem":
+	    source => "${sourcebase}/${srcname}-key.pem",
+	    owner => $owner, group => $group, mode => '0440',
+	    ensure => $ensure;
+    }
+}
diff --git a/manifests/hostcert/combinekey_cabundle.pp b/manifests/hostcert/combinekey_cabundle.pp
new file mode 100644
index 0000000000000000000000000000000000000000..1de5077b7291f0bd2c3031b4ec4ab59dc930e30a
--- /dev/null
+++ b/manifests/hostcert/combinekey_cabundle.pp
@@ -0,0 +1,57 @@
+# Copyright © 2015-2020 National Supercomputer Centre,
+#                       Linköping University, Sweden
+# Licensed under the GNU LGPL v3+; see the README file for more information.
+
+
+/*
+ * Install host certificate and private key in one file, and the CA
+ * chain and other CA certificates in another file.
+ *
+ * The certificate and private key will be installed in the same file
+ * under /etc/pki/tls/certs in <NAME>-cert.pem (readable only by the
+ * $owner and $group).  The CA chain will be in a separate file
+ * <NAME>-cabundle.pem together with the CA certificates in $calist.
+ *
+ * The certificate, private key and CA chain will be loaded from
+ * separate files using the same logic as x509certs::hostcert::separate.
+ *
+ * This is the format e.g. lighttpd requires (server certificate and
+ * private key in a common file, and all CA certificates, both the chain
+ * to its server certificate and the CA:s used for client authentication,
+ * together in another file).
+ */
+
+define x509certs::hostcert::combinekey_cabundle(
+		$calist=[], $owner='root', $group='root',
+		$sourcename='', $source='', $ensure='present')
+{
+    include x509certs
+    include x509certs::config
+
+    $sourcebase = $source ? {
+	''	=> $x509certs::config::hostcert_source,
+	default	=> $source
+    }
+    $srcname = $sourcename ? { '' => $name, default => $sourcename }
+
+    concat::file {
+	"${x509certs::pki_certdir}/${name}-cert.pem":
+	    ensure => $ensure,
+	    owner => $owner, group => $group, mode => '0440';
+    }
+    concat::part {
+	"${x509certs::pki_certdir}/${name}-cert.pem/cert.pem":
+	    source => "${sourcebase}/${srcname}-cert.pem", ensure => $ensure;
+	"${x509certs::pki_certdir}/${name}-cert.pem/key.pem":
+	    source => "${sourcebase}/${srcname}-key.pem", ensure => $ensure;
+    }
+    x509certs::cabundle {
+	$name:
+	    owner => $owner, group => $group, source => $source,
+	    calist => $calist, ensure => $ensure;
+    }
+    x509certs::cabundle::cacert {
+	"${name}: ${sourcebase}/${srcname}-chain.pem":
+	    source => $source, ensure => $ensure;
+    }
+}
diff --git a/manifests/hostcert/separate.pp b/manifests/hostcert/separate.pp
new file mode 100644
index 0000000000000000000000000000000000000000..bf31d679380de8a7ef0de57052b73541ea0e3673
--- /dev/null
+++ b/manifests/hostcert/separate.pp
@@ -0,0 +1,58 @@
+# Copyright © 2015-2020 National Supercomputer Centre,
+#                       Linköping University, Sweden
+# Licensed under the GNU LGPL v3+; see the README file for more information.
+
+
+/*
+ * Install host certificate, private key and CA chain.
+ * These three will be installed in separate files under /etc/pki/tls.
+ * Source is <SOURCE>/<SOURCENAME>-{cert,chain,key}.pem.  $sourcename
+ * defaults to the name for the resource if not specified.  If $source
+ * is not specified, $x509certs::config::hostcert_source is used.
+ *
+ * If the certificate is self-signed, and thus no CA chain exists,
+ * the chain source file must still exist, and should then either be
+ * empty, or contain the certificate itself.  (Apache httpd, e.g, does
+ * not like the chain file being empty, but repeating the certificate
+ * in the chain file works fine; other applications may have other
+ * rules.)
+ */
+
+define x509certs::hostcert::separate($owner='root', $group='root',
+				     $sourcename='', $source='',
+				     $ensure='present')
+{
+    include x509certs
+    include x509certs::config
+
+    case $ensure {
+	'present', 'absent': {
+	}
+	default: {
+	    fail("X509certs::Hostcert::Separate[${title}]:",
+		 "Bad parameter ensure, ``${ensure}''")
+	}
+    }
+    $sourcebase = $source ? {
+	''	=> $x509certs::config::hostcert_source,
+	default	=> $source
+    }
+    $srcname = $sourcename ? { '' => $name, default => $sourcename }
+
+    file {
+	"${x509certs::pki_certdir}/${name}-cert.pem":
+	    source => "${sourcebase}/${srcname}-cert.pem",
+	    owner => $owner, group => $group, mode => '0444',
+	    ensure => $ensure;
+
+	"${x509certs::pki_certdir}/${name}-chain.pem":
+	    source => "${sourcebase}/${srcname}-chain.pem",
+	    owner => $owner, group => $group, mode => '0444',
+	    ensure => $ensure;
+
+	"${x509certs::pki_keydir}/${name}-key.pem":
+	    source => "${sourcebase}/${srcname}-key.pem",
+	    owner => $owner, group => $group, mode => '0440',
+	    ensure => $ensure;
+    }
+}
diff --git a/manifests/init.pp b/manifests/init.pp
index 1909044f1c174c93d93365475b9b437c353ce1a9..7530ed0be3b9540cbdf46cac105cd9cfebe59cd4 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -3,314 +3,6 @@
 # Licensed under the GNU LGPL v3+; see the README file for more information.
 
 
-/*
- * Configuration of the x509certs module.
- *
- * Users of this module must instantiate this class with relevant
- * parameters.
- *
- * NOTE!  This replaces the old x509certs::siteconfig class, which
- * users previously were expected to define themselves.
- */
-class x509certs::config(
-    # Source directory or Puppet URL where host certificates can be
-    # found.  Typically a puppet: URL that expands to a client-private
-    # directory on the Puppet master (i.e. one using %h or %H in the
-    # path in fileserver.conf).
-    #
-    $hostcert_source,
-)
-{
-    # Nothing inside this class
-}
-
-
-
-/*
- * Directory locations and other constants.
- *
- * This currently assumes a RedHat:ish system.
- */
-class x509certs
-{
-    $pki_certdir = '/etc/pki/tls/certs'
-    $pki_keydir  = '/etc/pki/tls/private'
-    $grid_secdir = '/etc/grid-security'
-    $grid_cadir  = "${grid_secdir}/certificates"
-}
-
-
-
-/*
- * Install host certificate, private key and CA chain.
- * These three will be installed in separate files under /etc/pki/tls.
- * Source is <SOURCE>/<SOURCENAME>-{cert,chain,key}.pem.  $sourcename
- * defaults to the name for the resource if not specified.  If $source
- * is not specified, $x509certs::config::hostcert_source is used.
- *
- * If the certificate is self-signed, and thus no CA chain exists,
- * the chain source file must still exist, and should then either be
- * empty, or contain the certificate itself.  (Apache httpd, e.g, does
- * not like the chain file being empty, but repeating the certificate
- * in the chain file works fine; other applications may have other
- * rules.)
- */
-
-define x509certs::hostcert::separate($owner='root', $group='root',
-				     $sourcename='', $source='',
-				     $ensure='present')
-{
-    include x509certs
-    include x509certs::config
-
-    case $ensure {
-	'present', 'absent': {
-	}
-	default: {
-	    fail("X509certs::Hostcert::Separate[${title}]:",
-		 "Bad parameter ensure, ``${ensure}''")
-	}
-    }
-    $sourcebase = $source ? {
-	''	=> $x509certs::config::hostcert_source,
-	default	=> $source
-    }
-    $srcname = $sourcename ? { '' => $name, default => $sourcename }
-
-    file {
-	"${x509certs::pki_certdir}/${name}-cert.pem":
-	    source => "${sourcebase}/${srcname}-cert.pem",
-	    owner => $owner, group => $group, mode => '0444',
-	    ensure => $ensure;
-
-	"${x509certs::pki_certdir}/${name}-chain.pem":
-	    source => "${sourcebase}/${srcname}-chain.pem",
-	    owner => $owner, group => $group, mode => '0444',
-	    ensure => $ensure;
-
-	"${x509certs::pki_keydir}/${name}-key.pem":
-	    source => "${sourcebase}/${srcname}-key.pem",
-	    owner => $owner, group => $group, mode => '0440',
-	    ensure => $ensure;
-    }
-}
-
-
-
-/*
- * Install host certificate and private key in one file, and the CA
- * chain and other CA certificates in another file.
- *
- * The certificate and private key will be installed in the same file
- * under /etc/pki/tls/certs in <NAME>-cert.pem (readable only by the
- * $owner and $group).  The CA chain will be in a separate file
- * <NAME>-cabundle.pem together with the CA certificates in $calist.
- *
- * The certificate, private key and CA chain will be loaded from
- * separate files using the same logic as x509certs::hostcert::separate.
- *
- * This is the format e.g. lighttpd requires (server certificate and
- * private key in a common file, and all CA certificates, both the chain
- * to its server certificate and the CA:s used for client authentication,
- * together in another file).
- */
-
-define x509certs::hostcert::combinekey_cabundle(
-		$calist=[], $owner='root', $group='root',
-		$sourcename='', $source='', $ensure='present')
-{
-    include x509certs
-    include x509certs::config
-
-    $sourcebase = $source ? {
-	''	=> $x509certs::config::hostcert_source,
-	default	=> $source
-    }
-    $srcname = $sourcename ? { '' => $name, default => $sourcename }
-
-    concat::file {
-	"${x509certs::pki_certdir}/${name}-cert.pem":
-	    ensure => $ensure,
-	    owner => $owner, group => $group, mode => '0440';
-    }
-    concat::part {
-	"${x509certs::pki_certdir}/${name}-cert.pem/cert.pem":
-	    source => "${sourcebase}/${srcname}-cert.pem", ensure => $ensure;
-	"${x509certs::pki_certdir}/${name}-cert.pem/key.pem":
-	    source => "${sourcebase}/${srcname}-key.pem", ensure => $ensure;
-    }
-    x509certs::cabundle {
-	$name:
-	    owner => $owner, group => $group, source => $source,
-	    calist => $calist, ensure => $ensure;
-    }
-    x509certs::cabundle::cacert {
-	"${name}: ${sourcebase}/${srcname}-chain.pem":
-	    source => $source, ensure => $ensure;
-    }
-}
-
-
-
-/*
- * Install host certificate and CA chain in one file, and key in another.
- *
- * The certificate and CA chain will be installed in the same file
- * under /etc/pki/tls/certs in <NAME>-cert.pem.  The private key will be
- * in a separate file <NAME>-key.pem under /etc/pki/tls/private, readable
- * only by $owner and $group.
- *
- * The certificate, private key and CA chain will be loaded from
- * separate files using the same logic as x509certs::hostcert::separate.
- *
- * This format is wanted by some software, e.g. Postfix and Dovecot.
- */
-
-define x509certs::hostcert::combinechain($owner='root', $group='root',
-					 $sourcename='', $source='',
-					 $ensure='present')
-{
-    include x509certs
-    include x509certs::config
-
-    $sourcebase = $source ? {
-	''	=> $x509certs::config::hostcert_source,
-	default	=> $source
-    }
-    $srcname = $sourcename ? { '' => $name, default => $sourcename }
-
-    concat::file {
-	"${x509certs::pki_certdir}/${name}-cert.pem":
-	    ensure => $ensure,
-	    owner => $owner, group => $group, mode => '0444';
-    }
-    concat::part {
-	"${x509certs::pki_certdir}/${name}-cert.pem/01-cert.pem":
-	    source => "${sourcebase}/${srcname}-cert.pem", ensure => $ensure;
-	"${x509certs::pki_certdir}/${name}-cert.pem/02-chain.pem":
-	    source => "${sourcebase}/${srcname}-chain.pem", ensure => $ensure;
-    }
-
-    file {
-	"${x509certs::pki_keydir}/${name}-key.pem":
-	    source => "${sourcebase}/${srcname}-key.pem",
-	    owner => $owner, group => $group, mode => '0440',
-	    ensure => $ensure;
-    }
-}
-
-
-
-/*
- * Manage a CA bundle.
- *
- * Install the CA certificates in $calist into <NAME>-cabundle.pem
- * under /etc/pki/tls/certs.  Each element in $calist can be one of
- *  - A local file name on the client (absolute path).
- *  - A puppet: URL.
- *  - The special form "gridca:<CANAME>" (e.g. "gridca:NorduGrid").
- *    This installs that CA package, using x509::gridca, and uses the
- *    certificate file from there.  (Note that this will clash if the CA
- *    package is managed elsewhere in your manifests.)
- *  - A filename under $source (or $x509certs::config::hostcert_source
- *    if not specified), without any slashes or colons in it. The suffix
- *    ".pem" will be added automatically.
- * Each such source can itself contain multiple certificates.
- */
-
-define x509certs::cabundle($calist=[], $owner='root', $group='root',
-			   $source='', $ensure='present')
-{
-    include x509certs
-
-    concat::file {
-	"${x509certs::pki_certdir}/${name}-cabundle.pem":
-	    owner => $owner, group => $group, mode => '0444',
-	    ensure => $ensure;
-    }
-    if $ensure == 'present' {
-	$x_calist = regsubst($calist, '^', "${name}: ")
-	x509certs::cabundle::cacert {
-	    $x_calist:
-		source => $source;
-	}
-    }
-}
-
-
-/*
- * Helper for x509certs::cabundle.
- *
- * The resource name is used for specifying both the bundle where the
- * CA certificate is stored, and the source of the CA certificate.  It
- * should be on the form
- *     BUNDLENAME ": " CASOURCE
- * The actual bundle file will be <BUNDLENAME>-cabundle.pem under
- * $x509certs::pki_certdir.  See the documentation about the calist
- * parameter of x509certs::cabundle for information about what
- * CASOURCE can be.
- *
- * Mostly intended for internal use in the x509certs module, but can
- * possibly be useful for users as well, although the API isn't very
- * nice to use.
- */
-define x509certs::cabundle::cacert($source='', $ensure='present')
-{
-    include x509certs
-    include x509certs::config
-
-    $sourcebase = $source ? {
-	''	=> $x509certs::config::hostcert_source,
-	default	=> $source
-    }
-
-    if $name =~ /^(.*): +(.*)$/ {
-	$bundlename = $1
-	$casource = $2
-    } else {
-	fail("X509certs::Cabundle::Cacert[${title}]:",
-	     "Illegal name, no // separator")
-    }
-    $bundlefile = "${x509certs::pki_certdir}/${bundlename}-cabundle.pem"
-    $partname = regsubst($casource, '/', '_', 'G')
-    $bundle_partfile = "${bundlefile}/${partname}"
-
-    case $ensure
-    {
-	'absent': {
-	}
-	'present': {
-	    if $casource =~ /^gridca:(.*)/ {
-		$caname = $1
-		x509certs::gridca {
-		    $caname:
-			ensure => 'present';
-		}
-		concat::part {
-		    $bundle_partfile:
-			source => "${x509certs::grid_cadir}/${caname}.pem",
-			require => X509certs::Gridca[$caname];
-		}
-	    } elsif $casource !~ /.*[\/:].*/ {
-		concat::part {
-		    $bundle_partfile:
-			source => "${sourcebase}/${casource}.pem";
-		}
-	    } else {
-		concat::part {
-		    $bundle_partfile:
-			source => $casource;
-		}
-	    }
-	}
-	default: {
-	    fail("X509certs::Cabundle::Cacert[${title}]:",
-		 "Bad parameter ensure, ${ensure}")
-	}
-    }
-}
-
-
 
 /*
  * Manage a "grid host certificate".
@@ -412,148 +104,16 @@ class x509certs::hostcert::gridcert::absent
 
 
 
-/*
- * Make sure the fetch-crl service is installed and running, to download
- * updated revocation lists periodically.
- */
-
-class x509certs::fetchcrl
-{
-    # Install Perl modules needed for fetch-crl to support HTTPS
-    case "${::operatingsystem}:${::operatingsystemrelease}"
-    {
-	/^(CentOS|RedHat|Scientific):(6)(\.[^:]+)?$/: {
-	    package {
-		'perl-IO-Socket-SSL':
-		    ensure => installed, before => Package['fetch-crl'],
-		    notify => Exec['x509certs::fetchcrl::initial'];
-	    }
-	}
-	/^(CentOS|RedHat|Scientific):(7)(\.[^:]+)?$/: {
-	    package {
-		'perl-LWP-Protocol-https':
-		    ensure => installed, before => Package['fetch-crl'],
-		    notify => Exec['x509certs::fetchcrl::initial'];
-	    }
-	}
-	default: {
-	    fail("X509certs::Fetchcrl: Unsupported operating system")
-	}
-    }
-
-    package {
-	'fetch-crl':
-	    ensure => installed,
-	    notify => Exec['x509certs::fetchcrl::initial'];
-	'nordugrid-arc-ca-utils':
-	    # Obsolete; now just an empty package depending on fetch-crl.
-	    ensure => absent;
-    }
-    service {
-	'fetch-crl-cron':
-	    enable => true, ensure => running,
-	    require => Package['fetch-crl'];
-	'fetch-crl-boot':
-	    enable => false,
-	    require => Package['fetch-crl'];
-    }
-    exec {
-	'x509certs::fetchcrl::initial':
-	    command => '/usr/sbin/fetch-crl -p 16',
-	    refreshonly => true;
-    }
-}
-
-
 
 /*
- * Manage a grid CA certificate.
- *
- * These are assumed to be available as (RPM) packages name "ca_<NAME>",
- * that provide the PEM file and any extra metadata files needed by the
- * WLCG and EGI grids, including CRL URLs for fetch-crl.
- *
- * Note that configuring a repository where these CA packages
- * can be found must be done separately, e.g. by using the
- * x509certs::egi::trustanchors class.
- */
-
-define x509certs::gridca($ensure='present')
-{
-    include x509certs::fetchcrl
-
-    case $ensure {
-	'present', 'absent': {
-	}
-	default: {
-	    fail("X509certs::Gridca[${title}]:",
-		 "Bad parameter ensure, ``${ensure}''")
-	}
-    }
-    package {
-	"ca_${name}":
-	    ensure => $ensure,
-	    notify => Exec['x509certs::fetchcrl::initial'];
-    }
-}
-
-
-
-/*
- * Configure the EGI trust anchors Yum repository, for CA certificates
- * in the International Grid Trust Federation (IGTF).
+ * Directory locations and other constants.
  *
- * Note that packages for IGTF CAs also exists in e.g. NorduGrid repos,
- * so we set a low priority (i.e. preferred over other repos), as this
- * repo only holds CA packages and nothing else.
- */
-
-class x509certs::egi::trustanchors
-{
-    $urlbase = 'http://repository.egi.eu/sw/production/cas/1'
-
-    yumrepo {
-	'egi-trustanchors':
-	    descr    => 'EGI Trust Anchors',
-	    baseurl  => "${urlbase}/current",
-	    gpgkey   => "${urlbase}/GPG-KEY-EUGridPMA-RPM-3",
-	    priority => 10,
-	    enabled  => 1,
-	    gpgcheck => 1;
-    }
-}
-
-
-
-/*
- * Install the IGTF CA certificates for all CA:s in the LHC Compute Grid.
- */
-
-class x509certs::egi::lcg_cas
-{
-    include x509certs::egi::trustanchors
-    include x509certs::fetchcrl
-
-    package {
-	[ 'ca-policy-egi-core', 'ca-policy-lcg' ]:
-	    ensure => installed,
-	    require => Class['x509certs::egi::trustanchors'],
-	    notify => Exec['x509certs::fetchcrl::initial'];
-    }
-}
-
-
-
-/*
- * Helper class, to make sure the /etc/grid-security directory exists.
+ * This currently assumes a RedHat:ish system.
  */
-class x509certs::grid_security_dir
+class x509certs
 {
-    include x509certs
-
-    file {
-	$x509certs::grid_secdir:
-	    ensure => directory,
-	    owner => 'root', group => 'root', mode => '0755';
-    }
+    $pki_certdir = '/etc/pki/tls/certs'
+    $pki_keydir  = '/etc/pki/tls/private'
+    $grid_secdir = '/etc/grid-security'
+    $grid_cadir  = "${grid_secdir}/certificates"
 }