All SSL terminus classes now force the CA information into the right place.

Without this, then you could end up duplicating your CA
key into the normal directory depending on how caching
was set up.

Again, this design aspect isn't the most straightforward,
but at least it's functional now.

5 files changed, 30 insertions, 0 deletions

diff --git a/lib/puppet/indirector/certificate/file.rb b/lib/puppet/indirector/certificate/file.rb
index 9e2e8ed99..5f4ade051 100644
--- a/lib/puppet/indirector/certificate/file.rb
+++ b/lib/puppet/indirector/certificate/file.rb
@@ -5,4 +5,5 @@ class Puppet::SSL::Certificate::File < Puppet::Indirector::SslFile
     desc "Manage SSL certificates on disk."
 
     store_in :certdir
+    store_ca_at :cacert
 end
diff --git a/lib/puppet/indirector/key/file.rb b/lib/puppet/indirector/key/file.rb
index 7103c2903..4536f8aa7 100644
--- a/lib/puppet/indirector/key/file.rb
+++ b/lib/puppet/indirector/key/file.rb
@@ -5,6 +5,7 @@ class Puppet::SSL::Key::File < Puppet::Indirector::SslFile
     desc "Manage SSL private and public keys on disk."
 
     store_in :privatekeydir
+    store_ca_at :cakey
 
     # Where should we store the public key?
     def public_key_path(name)
diff --git a/spec/integration/ssl/host.rb b/spec/integration/ssl/host.rb
index 63d7aca5b..e8fd89364 100755
--- a/spec/integration/ssl/host.rb
+++ b/spec/integration/ssl/host.rb
@@ -67,4 +67,14 @@ describe Puppet::SSL::Host do
             File.read(File.join(Puppet.settings[:requestdir], "luke.madstop.com.pem")).should == @host.certificate_request.to_s
         end
     end
+
+    describe "when the CA host" do
+        it "should never store its key in the :privatekeydir" do
+            Puppet.settings.use(:main, :ssl, :ca)
+            @ca = Puppet::SSL::Host.new(Puppet::SSL::Host.ca_name)
+            @ca.generate_key
+
+            FileTest.should_not be_exist(File.join(Puppet[:privatekeydir], "ca.pem"))
+        end
+    end
 end
diff --git a/spec/unit/indirector/certificate/file.rb b/spec/unit/indirector/certificate/file.rb
index 18fe9a1c3..ffaf12047 100755
--- a/spec/unit/indirector/certificate/file.rb
+++ b/spec/unit/indirector/certificate/file.rb
@@ -16,4 +16,13 @@ describe Puppet::SSL::Certificate::File do
         Puppet.settings.expects(:value).with(:certdir).returns "/cert/dir"
         Puppet::SSL::Certificate::File.collection_directory.should == "/cert/dir"
     end
+
+    it "should store the ca certificate at the :cacert location" do
+        Puppet.settings.stubs(:use)
+        Puppet.settings.stubs(:value).returns "whatever"
+        Puppet.settings.stubs(:value).with(:cacert).returns "/ca/cert"
+        file = Puppet::SSL::Certificate::File.new
+        file.stubs(:ca?).returns true
+        file.path("whatever").should == "/ca/cert"
+    end
 end
diff --git a/spec/unit/indirector/key/file.rb b/spec/unit/indirector/key/file.rb
index bd0c57c36..8a1cb04bd 100755
--- a/spec/unit/indirector/key/file.rb
+++ b/spec/unit/indirector/key/file.rb
@@ -17,6 +17,15 @@ describe Puppet::SSL::Key::File do
         Puppet::SSL::Key::File.collection_directory.should == "/key/dir"
     end
 
+    it "should store the ca key at the :cakey location" do
+        Puppet.settings.stubs(:use)
+        Puppet.settings.stubs(:value).returns "whatever"
+        Puppet.settings.stubs(:value).with(:cakey).returns "/ca/key"
+        file = Puppet::SSL::Key::File.new
+        file.stubs(:ca?).returns true
+        file.path("whatever").should == "/ca/key"
+    end
+
     describe "when choosing the path for the public key" do
         it "should use the :capub setting location if the key is for the certificate authority" do
             Puppet.settings.stubs(:value).returns "/fake/dir"