This patch adds the contents of certdnsnames to the CSR being generated on the Puppet agent as Extensions.
Signed-off-by: James Turnbull <ja...@lovedthanlost.net> --- Local-branch: tickets/master/7243 lib/puppet/ssl/certificate_request.rb | 20 ++++++++++++++++++++ spec/unit/ssl/certificate_request_spec.rb | 1 + 2 files changed, 21 insertions(+), 0 deletions(-) diff --git a/lib/puppet/ssl/certificate_request.rb b/lib/puppet/ssl/certificate_request.rb index ecdebe1..15eadf3 100644 --- a/lib/puppet/ssl/certificate_request.rb +++ b/lib/puppet/ssl/certificate_request.rb @@ -1,4 +1,5 @@ require 'puppet/ssl/base' +require 'pp' # Manage certificate requests. class Puppet::SSL::CertificateRequest < Puppet::SSL::Base @@ -52,6 +53,25 @@ class Puppet::SSL::CertificateRequest < Puppet::SSL::Base csr.subject = OpenSSL::X509::Name.new([["CN", common_name]]) csr.public_key = key.public_key + dnsnames = Puppet[:certdnsnames] + subject_alt_name = [] + if dnsnames != "" + dnsnames.split(':').each { |d| subject_alt_name << 'DNS:' + d } + end + subject_alt_name << 'DNS:' + Facter["fqdn"].value + + ef = OpenSSL::X509::ExtensionFactory.new + + names = subject_alt_name.collect{|e| ef.create_extension("subjectAltName", e, "false") } + names = OpenSSL::ASN1::Set([OpenSSL::ASN1::Sequence(names)]) + + attrs = [ + OpenSSL::X509::Attribute.new("extReq", names), + OpenSSL::X509::Attribute.new("msExtReq", names), + ] + + attrs.each{|attr| csr.add_attribute(attr) } + if Puppet[:allow_csr_attributes] @csrattributes = Puppet[:csr_attributes_file] unless FileTest.exists?(@csrattributes) diff --git a/spec/unit/ssl/certificate_request_spec.rb b/spec/unit/ssl/certificate_request_spec.rb index 8b64a28..e616c76 100755 --- a/spec/unit/ssl/certificate_request_spec.rb +++ b/spec/unit/ssl/certificate_request_spec.rb @@ -127,6 +127,7 @@ describe Puppet::SSL::CertificateRequest do subject = mock 'subject' Puppet.settings.expects(:value).with(:ca_name).returns "mycertname" Puppet.settings.expects(:value).with(:allow_csr_attributes).returns false + Puppet.settings.expects(:value).with(:certdnsnames).returns "othercertname" OpenSSL::X509::Name.expects(:new).with { |subject| subject[0][1] == "mycertname" }.returns(subject) @request.expects(:subject=).with(subject) Puppet::SSL::CertificateRequest.new(Puppet::SSL::CA_NAME).generate(@key) -- 1.7.4.1 -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To post to this group, send email to puppet-dev@googlegroups.com. To unsubscribe from this group, send email to puppet-dev+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en.