Module: Puppet::SSL::CertificateFactory

Defined in:

lib/puppet/ssl/certificate_factory.rb

Overview

The tedious class that does all the manipulations to the certificate to correctly sign it. Yay.

Class Method Summary

• .build(cert_type, csr, issuer, serial, ttl = nil) ⇒ Object

Class Method Details

.build(cert_type, csr, issuer, serial, ttl = nil) ⇒ Object

Raises:

• (ArgumentError)

# File 'lib/puppet/ssl/certificate_factory.rb', line 6

def self.build(cert_type, csr, issuer, serial, ttl = nil)
  # Work out if we can even build the requested type of certificate.
  build_extensions = "build_#{cert_type.to_s}_extensions"
  respond_to?(build_extensions) or
    raise ArgumentError, "#{cert_type.to_s} is an invalid certificate type!"

  raise ArgumentError, "Certificate TTL must be an integer" unless ttl.nil? || ttl.is_a?(Fixnum)

  # set up the certificate, and start building the content.
  cert = OpenSSL::X509::Certificate.new

  cert.version    = 2 # X509v3
  cert.subject    = csr.content.subject
  cert.issuer     = issuer.subject
  cert.public_key = csr.content.public_key
  cert.serial     = serial

  # Make the certificate valid as of yesterday, because so many people's
  # clocks are out of sync.  This gives one more day of validity than people
  # might expect, but is better than making every person who has a messed up
  # clock fail, and better than having every cert we generate expire a day
  # before the user expected it to when they asked for "one year".
  cert.not_before = Time.now - (60*60*24)
  cert.not_after  = Time.now + (ttl || Puppet[:ca_ttl])

  add_extensions_to(cert, csr, issuer, send(build_extensions))

  return cert
end