diff options
Diffstat (limited to 'lib/puppet/ssl')
| -rw-r--r-- | lib/puppet/ssl/certificate_revocation_list.rb | 13 | ||||
| -rw-r--r-- | lib/puppet/ssl/host.rb | 18 |
2 files changed, 30 insertions, 1 deletions
diff --git a/lib/puppet/ssl/certificate_revocation_list.rb b/lib/puppet/ssl/certificate_revocation_list.rb index 96b71c7a3..3029c14a4 100644 --- a/lib/puppet/ssl/certificate_revocation_list.rb +++ b/lib/puppet/ssl/certificate_revocation_list.rb @@ -9,12 +9,23 @@ class Puppet::SSL::CertificateRevocationList < Puppet::SSL::Base indirects :certificate_revocation_list, :terminus_class => :file # Knows how to create a CRL with our system defaults. - def generate(cert) + def generate(cert, cakey) Puppet.info "Creating a new certificate revocation list" @content = wrapped_class.new @content.issuer = cert.subject @content.version = 1 + # Init the CRL number. + crlNum = OpenSSL::ASN1::Integer(0) + @content.extensions = [OpenSSL::X509::Extension.new("crlNumber", crlNum)] + + # Set last/next update + @content.last_update = Time.now + # Keep CRL valid for 5 years + @content.next_update = Time.now + 5 * 365*24*60*60 + + @content.sign(cakey, OpenSSL::Digest::SHA1.new) + @content end diff --git a/lib/puppet/ssl/host.rb b/lib/puppet/ssl/host.rb index 09086e0fa..105b39dc6 100644 --- a/lib/puppet/ssl/host.rb +++ b/lib/puppet/ssl/host.rb @@ -164,6 +164,24 @@ class Puppet::SSL::Host def public_key key.content.public_key end + + # Create/return a store that uses our SSL info to validate + # connections. + def ssl_store(purpose = OpenSSL::X509::PURPOSE_ANY) + store = OpenSSL::X509::Store.new + store.purpose = purpose + + store.add_file(Puppet[:localcacert]) + + if Puppet[:crl] + unless crl = Puppet::SSL::CertificateRevocationList.find("ca") + raise ArgumentError, "Could not find CRL; set 'crl' to 'false' to disable CRL usage" + end + store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL|OpenSSL::X509::V_FLAG_CRL_CHECK + store.add_crl(crl.content) + end + return store + end end require 'puppet/ssl/certificate_authority' |