Module: Puppet::SSL::CertificateFactory Private

Defined in:

lib/puppet/ssl/certificate_factory.rb

Overview

This module is part of a private API. You should avoid using this module if possible, as it may be removed or be changed in the future.

This class encapsulates the logic of creating and adding extensions to X509 certificates.

Class Method Summary

• .build(cert_type, csr, issuer, serial, ttl = nil) ⇒ OpenSSL::X509::Certificate

  Create a new X509 certificate and add any needed extensions to the cert.

Class Method Details

.build(cert_type, csr, issuer, serial, ttl = nil) ⇒ OpenSSL::X509::Certificate

Create a new X509 certificate and add any needed extensions to the cert.

Parameters:

• cert_type (Symbol) —

  The certificate type to create, which specifies what extensions are added to the certificate. One of (:ca, :terminalsubca, :server, :ocsp, :client)

• csr (Puppet::SSL::CertificateRequest) —

  The signing request associated with the certificate being created.

• issuer (OpenSSL::X509::Certificate, OpenSSL::X509::Request) —

  An X509 CSR if this is a self signed certificate, or the X509 certificate of the CA if this is a CA signed certificate.

• serial (Integer) —

  The serial number for the given certificate, which MUST be unique for the given CA.

• ttl (String) (defaults to: nil) —

  The duration of the validity for the given certificate. defaults to Puppet

Returns:

• (OpenSSL::X509::Certificate)

Raises:

• (ArgumentError)

# File 'lib/puppet/ssl/certificate_factory.rb', line 27

def self.build(cert_type, csr, issuer, serial, ttl = nil)
  # Work out if we can even build the requested type of certificate.
  build_extensions = "build_#{cert_type.to_s}_extensions"
  respond_to?(build_extensions) or
    raise ArgumentError, _("%{cert_type} is an invalid certificate type!") % { cert_type: cert_type.to_s }

  raise ArgumentError, _("Certificate TTL must be an integer") unless ttl.nil? || ttl.is_a?(Integer)

  # set up the certificate, and start building the content.
  cert = OpenSSL::X509::Certificate.new

  cert.version    = 2 # X509v3
  cert.subject    = csr.content.subject
  cert.issuer     = issuer.subject
  cert.public_key = csr.content.public_key
  cert.serial     = serial

  # Make the certificate valid as of yesterday, because so many people's
  # clocks are out of sync.  This gives one more day of validity than people
  # might expect, but is better than making every person who has a messed up
  # clock fail, and better than having every cert we generate expire a day
  # before the user expected it to when they asked for "one year".
  cert.not_before = Time.now - (60*60*24)
  cert.not_after  = Time.now + (ttl || Puppet[:ca_ttl])

  add_extensions_to(cert, csr, issuer, send(build_extensions))

  return cert
end