Fixing #1507 - Adding a :ca_name setting

This allows one to specify the name to use in the
CA certificate.  It defaults to the :certname,
but for those stuck using mod_ssl it can be changed.

Signed-off-by: Luke Kanies <luke@madstop.com>

2 files changed, 7 insertions, 1 deletions

diff --git a/lib/puppet/defaults.rb b/lib/puppet/defaults.rb
index 4924f2ced..ef194bc31 100644
--- a/lib/puppet/defaults.rb
+++ b/lib/puppet/defaults.rb
@@ -284,6 +284,7 @@ module Puppet
     )
 
     setdefaults(:ca,
+        :ca_name => ["$certname", "The name to use the Certificate Authority certificate."],
         :cadir => {  :default => "$ssldir/ca",
             :owner => "service",
             :group => "service",
diff --git a/lib/puppet/ssl/certificate_request.rb b/lib/puppet/ssl/certificate_request.rb
index 6a0464a33..4008ababe 100644
--- a/lib/puppet/ssl/certificate_request.rb
+++ b/lib/puppet/ssl/certificate_request.rb
@@ -29,9 +29,14 @@ class Puppet::SSL::CertificateRequest < Puppet::SSL::Base
         # Support either an actual SSL key, or a Puppet key.
         key = key.content if key.is_a?(Puppet::SSL::Key)
 
+        # If we're a CSR for the CA, then use the real certname, rather than the
+        # fake 'ca' name.  This is mostly for backward compatibility with 0.24.x,
+        # but it's also just a good idea.
+        common_name = name == Puppet::SSL::CA_NAME ? Puppet.settings[:ca_name] : name
+
         csr = OpenSSL::X509::Request.new
         csr.version = 0
-        csr.subject = OpenSSL::X509::Name.new([["CN", name]])
+        csr.subject = OpenSSL::X509::Name.new([["CN", common_name]])
         csr.public_key = key.public_key
         csr.sign(key, OpenSSL::Digest::MD5.new)