4 files changed, 47 insertions, 9 deletions

diff --git a/lib/puppet/ssl/base.rb b/lib/puppet/ssl/base.rb
index d67861f4b..6c74b7565 100644
--- a/lib/puppet/ssl/base.rb
+++ b/lib/puppet/ssl/base.rb
@@ -54,6 +54,23 @@ class Puppet::SSL::Base
         content.to_text
     end
 
+    def fingerprint(md = :MD5)
+        require 'openssl/digest'
+
+        # ruby 1.8.x openssl digest constants are string
+        # but in 1.9.x they are symbols
+        mds = md.to_s.upcase
+        if OpenSSL::Digest.constants.include?(mds)
+            md = mds
+        elsif OpenSSL::Digest.constants.include?(mds.to_sym)
+            md = mds.to_sym
+        else
+            raise ArgumentError, "#{md} is not a valid digest algorithm for fingerprinting certificate #{name}"
+        end
+
+        OpenSSL::Digest.hexdigest(md, content.to_der).scan(/../).join(':').upcase
+    end
+
     private
 
     def wrapped_class
diff --git a/lib/puppet/ssl/certificate_authority.rb b/lib/puppet/ssl/certificate_authority.rb
index 8e4fd7a08..9fe67cc8a 100644
--- a/lib/puppet/ssl/certificate_authority.rb
+++ b/lib/puppet/ssl/certificate_authority.rb
@@ -53,7 +53,7 @@ class Puppet::SSL::CertificateAuthority
         unless options[:to]
             raise ArgumentError, "You must specify the hosts to apply to; valid values are an array or the symbol :all"
         end
-        applier = Interface.new(method, options[:to])
+        applier = Interface.new(method, options)
 
         applier.apply(self)
     end
@@ -291,6 +291,13 @@ class Puppet::SSL::CertificateAuthority
         end
     end
 
+    def fingerprint(name, md = :MD5)
+        unless cert = Puppet::SSL::Certificate.find(name) || Puppet::SSL::CertificateRequest.find(name)
+            raise ArgumentError, "Could not find a certificate or csr for %s" % name
+        end
+        cert.fingerprint(md)
+    end
+
     # List the waiting certificate requests.
     def waiting?
         Puppet::SSL::CertificateRequest.search("*").collect { |r| r.name }
diff --git a/lib/puppet/ssl/certificate_authority/interface.rb b/lib/puppet/ssl/certificate_authority/interface.rb
index 3f91434e3..d2dc7b9b5 100644
--- a/lib/puppet/ssl/certificate_authority/interface.rb
+++ b/lib/puppet/ssl/certificate_authority/interface.rb
@@ -2,11 +2,11 @@
 # on the CA.  It's only used by the 'puppetca' executable, and its
 # job is to provide a CLI-like interface to the CA class.
 class Puppet::SSL::CertificateAuthority::Interface
-    INTERFACE_METHODS = [:destroy, :list, :revoke, :generate, :sign, :print, :verify]
+    INTERFACE_METHODS = [:destroy, :list, :revoke, :generate, :sign, :print, :verify, :fingerprint]
 
     class InterfaceError < ArgumentError; end
 
-    attr_reader :method, :subjects
+    attr_reader :method, :subjects, :digest
 
     # Actually perform the work.
     def apply(ca)
@@ -38,9 +38,10 @@ class Puppet::SSL::CertificateAuthority::Interface
         end
     end
 
-    def initialize(method, subjects)
+    def initialize(method, options)
         self.method = method
-        self.subjects = subjects
+        self.subjects = options[:to]
+        @digest = options[:digest] || :MD5
     end
 
     # List the hosts.
@@ -67,11 +68,11 @@ class Puppet::SSL::CertificateAuthority::Interface
                 invalid = details.to_s
             end
             if not invalid and signed.include?(host)
-                puts "+ " + host
+                puts "+ #{host} (#{ca.fingerprint(host, @digest)})"
             elsif invalid
-                puts "- " + host + " (" + invalid + ")"
+                puts "- #{host} (#{ca.fingerprint(host, @digest)}) (#{invalid})"
             else
-                puts host
+                puts "#{host} (#{ca.fingerprint(host, @digest)})"
             end
         end
     end
@@ -84,7 +85,7 @@ class Puppet::SSL::CertificateAuthority::Interface
 
     # Print certificate information.
     def print(ca)
-        (subjects == :all ? ca.list : subjects).each do |host|
+        (subjects == :all ? ca.list  : subjects).each do |host|
             if value = ca.print(host)
                 puts value
             else
@@ -93,6 +94,17 @@ class Puppet::SSL::CertificateAuthority::Interface
         end
     end
 
+    # Print certificate information.
+    def fingerprint(ca)
+        (subjects == :all ? ca.list + ca.waiting?: subjects).each do |host|
+            if value = ca.fingerprint(host, @digest)
+                puts "#{host} #{value}"
+            else
+                Puppet.err "Could not find certificate for %s" % host
+            end
+        end
+    end
+
     # Sign a given certificate.
     def sign(ca)
         list = subjects == :all ? ca.waiting? : subjects
diff --git a/lib/puppet/ssl/certificate_request.rb b/lib/puppet/ssl/certificate_request.rb
index 4008ababe..f18fe4a16 100644
--- a/lib/puppet/ssl/certificate_request.rb
+++ b/lib/puppet/ssl/certificate_request.rb
@@ -43,6 +43,8 @@ class Puppet::SSL::CertificateRequest < Puppet::SSL::Base
         raise Puppet::Error, "CSR sign verification failed; you need to clean the certificate request for %s on the server" % name unless csr.verify(key.public_key)
 
         @content = csr
+        Puppet.info "Certificate Request fingerprint (md5): #{fingerprint}"
+        @content
     end
 
     def save(args = {})