Module: Puppet::SSL::CertificateFactory Private

Defined in:

lib/puppet/ssl/certificate_factory.rb

Overview

This module is part of a private API. You should avoid using this module if possible, as it may be removed or be changed in the future.

This class encapsulates the logic of creating and adding extensions to X509 certificates.

Class Method Summary

• .build(cert_type, csr, issuer, serial, ttl = nil) ⇒ OpenSSL::X509::Certificate

  Create, add extensions to, and sign a new X509 certificate.

Class Method Details

.build(cert_type, csr, issuer, serial, ttl = nil) ⇒ OpenSSL::X509::Certificate

Create, add extensions to, and sign a new X509 certificate.

Raises:

• (ArgumentError)

# File 'lib/puppet/ssl/certificate_factory.rb', line 27

def self.build(cert_type, csr, issuer, serial, ttl = nil)
  # Work out if we can even build the requested type of certificate.
  build_extensions = "build_#{cert_type.to_s}_extensions"
  respond_to?(build_extensions) or
    raise ArgumentError, "#{cert_type.to_s} is an invalid certificate type!"

  raise ArgumentError, "Certificate TTL must be an integer" unless ttl.nil? || ttl.is_a?(Fixnum)

  # set up the certificate, and start building the content.
  cert = OpenSSL::X509::Certificate.new

  cert.version    = 2 # X509v3
  cert.subject    = csr.content.subject
  cert.issuer     = issuer.subject
  cert.public_key = csr.content.public_key
  cert.serial     = serial

  # Make the certificate valid as of yesterday, because so many people's
  # clocks are out of sync.  This gives one more day of validity than people
  # might expect, but is better than making every person who has a messed up
  # clock fail, and better than having every cert we generate expire a day
  # before the user expected it to when they asked for "one year".
  cert.not_before = Time.now - (60*60*24)
  cert.not_after  = Time.now + (ttl || Puppet[:ca_ttl])

  add_extensions_to(cert, csr, issuer, send(build_extensions))

  return cert
end