class Puppet::SSL::Host::CertificateRevocationList

Manage the CRL.

Public Class Methods

from_s(string) click to toggle source

Convert a string into an instance.

# File lib/puppet/ssl/certificate_revocation_list.rb, line 17
def self.from_s(string)
  super(string, 'foo') # The name doesn't matter
end

new(fakename) click to toggle source

The name doesn’t actually matter; there’s only one CRL. We just need the name so our Indirector stuff all works more easily.

# File lib/puppet/ssl/certificate_revocation_list.rb, line 41
def initialize(fakename)
  @name = "crl"
end

supported_formats() click to toggle source

Because of how the format handler class is included, this can’t be in the base class.

# File lib/puppet/ssl/certificate_revocation_list.rb, line 23
def self.supported_formats
  [:s]
end

Public Instance Methods

generate(cert, cakey) click to toggle source

Knows how to create a CRL with our system defaults.

# File lib/puppet/ssl/certificate_revocation_list.rb, line 28
def generate(cert, cakey)
  Puppet.info "Creating a new certificate revocation list"

  create_crl_issued_by(cert)
  start_at_initial_crl_number
  update_valid_time_range_to_start_at(Time.now)
  sign_with(cakey)

  @content
end

revoke(serial, cakey, reason = OpenSSL::OCSP::REVOKED_STATUS_KEYCOMPROMISE) click to toggle source

Revoke the certificate with serial number SERIAL issued by this CA, then write the CRL back to disk. The REASON must be one of the OpenSSL::OCSP::REVOKED_* reasons

# File lib/puppet/ssl/certificate_revocation_list.rb, line 48
def revoke(serial, cakey, reason = OpenSSL::OCSP::REVOKED_STATUS_KEYCOMPROMISE)
  Puppet.notice "Revoked certificate with serial #{serial}"
  time = Time.now

  add_certificate_revocation_for(serial, reason, time)
  update_to_next_crl_number
  update_valid_time_range_to_start_at(time)
  sign_with(cakey)

  Puppet::SSL::CertificateRevocationList.indirection.save(self)
end