We still look for certificates/keys/etc named "ca", but the cert itself uses the certname of the host that functions as the CA.
Signed-off-by: Luke Kanies <[email protected]> --- lib/puppet/ssl/certificate_request.rb | 7 ++++++- spec/unit/ssl/certificate_request.rb | 15 +++++++++++++++ 2 files changed, 21 insertions(+), 1 deletions(-) diff --git a/lib/puppet/ssl/certificate_request.rb b/lib/puppet/ssl/certificate_request.rb index 6a0464a..3fd9ab9 100644 --- a/lib/puppet/ssl/certificate_request.rb +++ b/lib/puppet/ssl/certificate_request.rb @@ -29,9 +29,14 @@ class Puppet::SSL::CertificateRequest < Puppet::SSL::Base # Support either an actual SSL key, or a Puppet key. key = key.content if key.is_a?(Puppet::SSL::Key) + # If we're a CSR for the CA, then use the real certname, rather than the + # fake 'ca' name. This is mostly for backward compatibility with 0.24.x, + # but it's also just a good idea. + common_name = name == Puppet::SSL::CA_NAME ? Puppet.settings[:certname] : name + csr = OpenSSL::X509::Request.new csr.version = 0 - csr.subject = OpenSSL::X509::Name.new([["CN", name]]) + csr.subject = OpenSSL::X509::Name.new([["CN", common_name]]) csr.public_key = key.public_key csr.sign(key, OpenSSL::Digest::MD5.new) diff --git a/spec/unit/ssl/certificate_request.rb b/spec/unit/ssl/certificate_request.rb index 85e1d54..7a3713c 100755 --- a/spec/unit/ssl/certificate_request.rb +++ b/spec/unit/ssl/certificate_request.rb @@ -117,6 +117,21 @@ describe Puppet::SSL::CertificateRequest do @instance.generate(@key) end + it "should set the CN to the CSR name when the CSR is not for a CA" do + subject = mock 'subject' + OpenSSL::X509::Name.expects(:new).with { |subject| subject[0][1] == @instance.name }.returns(subject) + @request.expects(:subject=).with(subject) + @instance.generate(@key) + end + + it "should set the CN to the :certname setting when the CSR is for a CA" do + subject = mock 'subject' + Puppet.settings.expects(:value).with(:certname).returns "mycertname" + OpenSSL::X509::Name.expects(:new).with { |subject| subject[0][1] == "mycertname" }.returns(subject) + @request.expects(:subject=).with(subject) + Puppet::SSL::CertificateRequest.new(Puppet::SSL::CA_NAME).generate(@key) + end + it "should set the version to 0" do @request.expects(:version=).with(0) @instance.generate(@key) -- 1.6.1 --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en -~----------~----~----~----~------~----~------~--~---
