From f54368fbe258a00fdc3a1b4af1bfac3d05a0baf6 Mon Sep 17 00:00:00 2001
From: Al Tobey <tobert@gmail.com>
Date: Fri, 9 Jul 2010 15:55:14 -0700
Subject: [PATCH 1/2] Add support for "localcacertdir".

Signed-off-by: Al Tobey <tobert@gmail.com>
---
 lib/puppet/defaults.rb |    5 +++++
 lib/puppet/ssl/host.rb |    5 +++++
 2 files changed, 10 insertions(+), 0 deletions(-)

diff --git a/lib/puppet/defaults.rb b/lib/puppet/defaults.rb
index 6ded3c0..caf9757 100644
--- a/lib/puppet/defaults.rb
+++ b/lib/puppet/defaults.rb
@@ -258,6 +258,11 @@ module Puppet
             :owner => "service",
             :desc => "Where each client stores the CA certificate."
         },
+        :localcacertdir => { :default => "$certdir/cacerts/",
+            :mode => 0750,
+            :owner => "service",
+            :desc => "Where each client stores a hashed directory of CA certs."
+        },
         :hostcrl => { :default => "$ssldir/crl.pem",
             :mode => 0644,
             :owner => "service",
diff --git a/lib/puppet/ssl/host.rb b/lib/puppet/ssl/host.rb
index f367ada..f4c70d6 100644
--- a/lib/puppet/ssl/host.rb
+++ b/lib/puppet/ssl/host.rb
@@ -210,6 +210,11 @@ class Puppet::SSL::Host
             # Use the file path here, because we don't want to cause
             # a lookup in the middle of setting our ssl connection.
             @ssl_store.add_file(Puppet[:localcacert])
+            # also support a hashed CA cert path, which makes chaining possible
+            if Puppet.settings[:localcacertdir]
+                Puppet.debug "Found local CA path: %s" % Puppet[:localcacertdir]
+                @ssl_store.add_path(Puppet[:localcacertdir])
+            end
 
             # If there's a CRL, add it to our store.
             if crl = Puppet::SSL::CertificateRevocationList.find(CA_NAME)
-- 
1.7.1