Fixing #1507 - Adding a :ca_name setting

This allows one to specify the name to use in the
CA certificate.  It defaults to the :certname,
but for those stuck using mod_ssl it can be changed.

Signed-off-by: Luke Kanies <luke@madstop.com>

4 files changed, 27 insertions, 1 deletions

diff --git a/lib/puppet/defaults.rb b/lib/puppet/defaults.rb
index 4924f2ced..ef194bc31 100644
--- a/lib/puppet/defaults.rb
+++ b/lib/puppet/defaults.rb
@@ -284,6 +284,7 @@ module Puppet
     )
 
     setdefaults(:ca,
+        :ca_name => ["$certname", "The name to use the Certificate Authority certificate."],
         :cadir => {  :default => "$ssldir/ca",
             :owner => "service",
             :group => "service",
diff --git a/lib/puppet/ssl/certificate_request.rb b/lib/puppet/ssl/certificate_request.rb
index 6a0464a33..4008ababe 100644
--- a/lib/puppet/ssl/certificate_request.rb
+++ b/lib/puppet/ssl/certificate_request.rb
@@ -29,9 +29,14 @@ class Puppet::SSL::CertificateRequest < Puppet::SSL::Base
         # Support either an actual SSL key, or a Puppet key.
         key = key.content if key.is_a?(Puppet::SSL::Key)
 
+        # If we're a CSR for the CA, then use the real certname, rather than the
+        # fake 'ca' name.  This is mostly for backward compatibility with 0.24.x,
+        # but it's also just a good idea.
+        common_name = name == Puppet::SSL::CA_NAME ? Puppet.settings[:ca_name] : name
+
         csr = OpenSSL::X509::Request.new
         csr.version = 0
-        csr.subject = OpenSSL::X509::Name.new([["CN", name]])
+        csr.subject = OpenSSL::X509::Name.new([["CN", common_name]])
         csr.public_key = key.public_key
         csr.sign(key, OpenSSL::Digest::MD5.new)
 
diff --git a/spec/integration/defaults.rb b/spec/integration/defaults.rb
index fb00f8646..0e9a03fcb 100755
--- a/spec/integration/defaults.rb
+++ b/spec/integration/defaults.rb
@@ -204,4 +204,9 @@ describe "Puppet defaults" do
             Puppet.settings[:report_server].should == "report_server"
         end
     end
+    
+    it "should have a :caname setting that defaults to the cert name" do
+        Puppet.settings[:certname] = "foo"
+        Puppet.settings[:ca_name].should == "foo"
+    end
 end
diff --git a/spec/unit/ssl/certificate_request.rb b/spec/unit/ssl/certificate_request.rb
index 85e1d5470..29bbc7bc1 100755
--- a/spec/unit/ssl/certificate_request.rb
+++ b/spec/unit/ssl/certificate_request.rb
@@ -117,6 +117,21 @@ describe Puppet::SSL::CertificateRequest do
             @instance.generate(@key)
         end
 
+        it "should set the CN to the CSR name when the CSR is not for a CA" do
+            subject = mock 'subject'
+            OpenSSL::X509::Name.expects(:new).with { |subject| subject[0][1] == @instance.name }.returns(subject)
+            @request.expects(:subject=).with(subject)
+            @instance.generate(@key)
+        end
+
+        it "should set the CN to the :ca_name setting when the CSR is for a CA" do
+            subject = mock 'subject'
+            Puppet.settings.expects(:value).with(:ca_name).returns "mycertname"
+            OpenSSL::X509::Name.expects(:new).with { |subject| subject[0][1] == "mycertname" }.returns(subject)
+            @request.expects(:subject=).with(subject)
+            Puppet::SSL::CertificateRequest.new(Puppet::SSL::CA_NAME).generate(@key)
+        end
+
         it "should set the version to 0" do
             @request.expects(:version=).with(0)
             @instance.generate(@key)