Issue #3943 has been updated by Mathias Gug.
I haven't been able to make puppet include the csr - I haven't looked at the
puppet code.
My proof of concept was based around the openssl command line. With the
following configuration file:
<pre>
[ new_oids ]
Signature = 1.3.6.1.4.1.34380.2.0
SignatureVersion = 1.3.6.1.4.1.34380.2.1
ExpirationDate = 1.3.6.1.4.1.34380.2.2
ConductorCertificate = 1.3.6.1.4.1.34380.2.3
[ req ]
oid_section = new_oids
default_bits = 1024
default_keyfile = privkey.pem
prompt = no
encrypt_key = no
distinguished_name = req_distinguished_name
attributes = req_attributes
[ req_distinguished_name]
commonName = foo.example.org
[ req_attributes ]
# Signature (base64 encoded)
1.3.6.1.4.1.34380.2.0 = aaabbbbbsssddddd
# Signature version (integer)
1.3.6.1.4.1.34380.2.1 = 1
# expiration date (rfc3339)
1.3.6.1.4.1.34380.2.2 = 2010-05-07T23:31:03+00:00
# Cloud conductor certificate (PEM format)
1.3.6.1.4.1.34380.2.3 = -----BEGIN CERTIFICATE [...] -----
</pre>
I was able to generate a csr using the following command line:
<pre>
$ openssl req -new -keyout key.pem -out req.pem -config openssl.cnf
</pre>
The generated csr looked like:
<pre>
$ openssl req -text -noout < req.pem
Certificate Request:
Data:
Version: 0 (0x0)
Subject: CN=foo.example.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:c7:2f:0d:e1:7a:91:ea:d5:c8:6c:fe:98:fd:62:
55:e6:01:26:26:55:0e:d7:b4:fd:c8:73:0f:e0:8b:
d6:30:91:9b:d8:d5:5f:e8:6a:00:fb:35:31:de:8f:
f8:7d:5c:d7:84:c5:f2:d6:1c:11:68:72:dc:cc:20:
6b:19:0e:56:70:52:06:48:a0:75:30:05:67:18:0d:
be:2b:2e:eb:3c:29:be:6e:31:77:4d:a4:fe:51:8e:
d8:62:b5:b8:84:16:e1:c3:0b:9d:bd:65:a4:23:ed:
45:06:94:de:f0:45:11:c5:8f:55:00:8a:cc:3a:a8:
d7:11:60:01:db:cc:66:70:17
Exponent: 65537 (0x10001)
Attributes:
1.3.6.1.4.1.34380.2.1 :1
1.3.6.1.4.1.34380.2.0 :aaabbbbbsssddddd
1.3.6.1.4.1.34380.2.2 :2010-05-07T23:31:03+00:00
1.3.6.1.4.1.34380.2.3 :-----BEGIN CERTIFICATE [...] -----
Signature Algorithm: sha1WithRSAEncryption
b1:de:11:e6:7d:80:0c:02:07:ac:4d:5a:8b:ef:7d:00:12:84:
0c:08:3a:41:6a:ac:af:a3:15:3e:5e:fd:d4:b4:33:86:96:ee:
df:4d:b8:00:c4:e5:c5:13:4d:c4:76:68:b5:84:3b:3a:21:17:
f4:76:6e:81:01:ad:7d:2f:69:04:53:de:8b:f0:c5:12:91:86:
33:43:b8:8b:46:d6:f1:ef:3d:2c:4c:3f:b3:a3:48:35:98:6d:
0e:cc:0a:9e:2c:93:0b:a5:25:a1:49:92:8e:1f:82:df:57:65:
b7:9c:d4:0a:57:bc:98:24:c8:c0:a4:d7:fb:fd:f0:97:29:e4:
3d:49
</pre>
----------------------------------------
Feature #3943: Enable extended CSR attributes to be passed to the puppet client
http://projects.puppetlabs.com/issues/3943
Author: Mathias Gug
Status: Accepted
Priority: Normal
Assigned to:
Category: SSL
Target version: 2.6
Affected version: 0.25.4
Keywords:
Branch:
When the client generates a CSR for itself it would be useful to be able to
pass to the client extended attributes to be added to the CSR.
For example the component responsible for starting new instances in EC2 could
pass a signature to include in the instance CSR in order to legitimate the
request to the puppetmaster. An example infrastructure using this feature is
outlined in https://wiki.ubuntu.com/ServerMaverickPuppetBootstrap.
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://projects.puppetlabs.com/my/account
--
You received this message because you are subscribed to the Google Groups
"Puppet Bugs" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-bugs?hl=en.
