Class: Puppet::SSL::CertificateRevocationList

Inherits:

Base

• Object
• Base
• Puppet::SSL::CertificateRevocationList

Extended by:

Indirector

Defined in:

lib/puppet/ssl/certificate_revocation_list.rb

Overview

Manage the CRL.

Defined Under Namespace

Classes: Ca, DisabledCa, File, Rest

Constant Summary

FIVE_YEARS =

5 * 365*24*60*60

Constants included from Indirector

Indirector::BadNameRegexp

Constants inherited from Base

Base::SEPARATOR, Base::VALID_CERTNAME

Instance Attribute Summary

Attributes inherited from Base

#content, #name

Class Method Summary

• .from_s(string) ⇒ Object

  Convert a string into an instance.

• .supported_formats ⇒ Object

  Because of how the format handler class is included, this can’t be in the base class.

Instance Method Summary

• #generate(cert, cakey) ⇒ Object

  Knows how to create a CRL with our system defaults.

• #initialize(fakename) ⇒ CertificateRevocationList constructor

  The name doesn’t actually matter; there’s only one CRL.

• #revoke(serial, cakey, reason = OpenSSL::OCSP::REVOKED_STATUS_KEYCOMPROMISE) ⇒ Object

  Revoke the certificate with serial number SERIAL issued by this CA, then write the CRL back to disk.

Methods included from Indirector

configure_routes, indirects

Methods inherited from Base

#ca?, #digest, #digest_algorithm, #fingerprint, from_instance, from_multiple_s, name_from_subject, #read, #to_data_hash, to_multiple_s, #to_s, #to_text, validate_certname, wrapped_class, wraps

Constructor Details

#initialize(fakename) ⇒ CertificateRevocationList

The name doesn’t actually matter; there’s only one CRL. We just need the name so our Indirector stuff all works more easily.

# File 'lib/puppet/ssl/certificate_revocation_list.rb', line 41

def initialize(fakename)
  @name = "crl"
end

Class Method Details

.from_s(string) ⇒ Object

Convert a string into an instance.

# File 'lib/puppet/ssl/certificate_revocation_list.rb', line 17

def self.from_s(string)
  super(string, 'foo') # The name doesn't matter
end

.supported_formats ⇒ Object

Because of how the format handler class is included, this can’t be in the base class.

# File 'lib/puppet/ssl/certificate_revocation_list.rb', line 23

def self.supported_formats
  [:s]
end

Instance Method Details

#generate(cert, cakey) ⇒ Object

Knows how to create a CRL with our system defaults.

# File 'lib/puppet/ssl/certificate_revocation_list.rb', line 28

def generate(cert, cakey)
  Puppet.info _("Creating a new certificate revocation list")

  create_crl_issued_by(cert)
  start_at_initial_crl_number
  update_valid_time_range_to_start_at(Time.now)
  sign_with(cakey)

  @content
end

#revoke(serial, cakey, reason = OpenSSL::OCSP::REVOKED_STATUS_KEYCOMPROMISE) ⇒ Object

Revoke the certificate with serial number SERIAL issued by this CA, then write the CRL back to disk. The REASON must be one of the OpenSSL::OCSP::REVOKED_* reasons

# File 'lib/puppet/ssl/certificate_revocation_list.rb', line 48

def revoke(serial, cakey, reason = OpenSSL::OCSP::REVOKED_STATUS_KEYCOMPROMISE)
  Puppet.notice _("Revoked certificate with serial %{serial}") % { serial: serial }
  time = Time.now

  add_certificate_revocation_for(serial, reason, time)
  update_to_next_crl_number
  update_valid_time_range_to_start_at(time)
  sign_with(cakey)

  Puppet::SSL::CertificateRevocationList.indirection.save(self)
end