This allows one to specify the name to use in the CA certificate. It defaults to the :certname, but for those stuck using mod_ssl it can be changed.
Signed-off-by: Luke Kanies <[email protected]> --- lib/puppet/defaults.rb | 1 + lib/puppet/ssl/certificate_request.rb | 7 ++++++- spec/integration/defaults.rb | 5 +++++ spec/unit/ssl/certificate_request.rb | 15 +++++++++++++++ 4 files changed, 27 insertions(+), 1 deletions(-) diff --git a/lib/puppet/defaults.rb b/lib/puppet/defaults.rb index 3a0feec..8cb2011 100644 --- a/lib/puppet/defaults.rb +++ b/lib/puppet/defaults.rb @@ -284,6 +284,7 @@ module Puppet ) setdefaults(:ca, + :ca_name => ["$certname", "The name to use the Certificate Authority certificate."], :cadir => { :default => "$ssldir/ca", :owner => "service", :group => "service", diff --git a/lib/puppet/ssl/certificate_request.rb b/lib/puppet/ssl/certificate_request.rb index 6a0464a..4008aba 100644 --- a/lib/puppet/ssl/certificate_request.rb +++ b/lib/puppet/ssl/certificate_request.rb @@ -29,9 +29,14 @@ class Puppet::SSL::CertificateRequest < Puppet::SSL::Base # Support either an actual SSL key, or a Puppet key. key = key.content if key.is_a?(Puppet::SSL::Key) + # If we're a CSR for the CA, then use the real certname, rather than the + # fake 'ca' name. This is mostly for backward compatibility with 0.24.x, + # but it's also just a good idea. + common_name = name == Puppet::SSL::CA_NAME ? Puppet.settings[:ca_name] : name + csr = OpenSSL::X509::Request.new csr.version = 0 - csr.subject = OpenSSL::X509::Name.new([["CN", name]]) + csr.subject = OpenSSL::X509::Name.new([["CN", common_name]]) csr.public_key = key.public_key csr.sign(key, OpenSSL::Digest::MD5.new) diff --git a/spec/integration/defaults.rb b/spec/integration/defaults.rb index c38a1a1..a1dc1ff 100755 --- a/spec/integration/defaults.rb +++ b/spec/integration/defaults.rb @@ -204,4 +204,9 @@ describe "Puppet defaults" do Puppet.settings[:report_server].should == "report_server" end end + + it "should have a :caname setting that defaults to the cert name" do + Puppet.settings[:certname] = "foo" + Puppet.settings[:ca_name].should == "foo" + end end diff --git a/spec/unit/ssl/certificate_request.rb b/spec/unit/ssl/certificate_request.rb index 85e1d54..29bbc7b 100755 --- a/spec/unit/ssl/certificate_request.rb +++ b/spec/unit/ssl/certificate_request.rb @@ -117,6 +117,21 @@ describe Puppet::SSL::CertificateRequest do @instance.generate(@key) end + it "should set the CN to the CSR name when the CSR is not for a CA" do + subject = mock 'subject' + OpenSSL::X509::Name.expects(:new).with { |subject| subject[0][1] == @instance.name }.returns(subject) + @request.expects(:subject=).with(subject) + @instance.generate(@key) + end + + it "should set the CN to the :ca_name setting when the CSR is for a CA" do + subject = mock 'subject' + Puppet.settings.expects(:value).with(:ca_name).returns "mycertname" + OpenSSL::X509::Name.expects(:new).with { |subject| subject[0][1] == "mycertname" }.returns(subject) + @request.expects(:subject=).with(subject) + Puppet::SSL::CertificateRequest.new(Puppet::SSL::CA_NAME).generate(@key) + end + it "should set the version to 0" do @request.expects(:version=).with(0) @instance.generate(@key) -- 1.6.1 --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en -~----------~----~----~----~------~----~------~--~---
