module Puppet::SSL::CertificateFactory

This class encapsulates the logic of creating and adding extensions to X509 certificates.

@api private

Public Class Methods

build(cert_type, csr, issuer, serial, ttl = nil) click to toggle source

Create, add extensions to, and sign a new X509 certificate.

@param cert_type [Symbol] The certificate type to create, which specifies

what extensions are added to the certificate.
One of (:ca, :terminalsubca, :server, :ocsp, :client)

@param csr [OpenSSL::X509::Request] The signing request associated with

the certificate being created.

@param issuer [OpenSSL::X509::Certificate, OpenSSL::X509::Request] An X509 CSR

if this is a self signed certificate, or the X509 certificate of the CA if
this is a CA signed certificate.

@param serial [Integer] The serial number for the given certificate, which

MUST be unique for the given CA.

@param ttl [String] The duration of the validity for the given certificate.

defaults to Puppet[:ca_ttl]

@api public

@return [OpenSSL::X509::Certificate]

# File lib/puppet/ssl/certificate_factory.rb, line 27
def self.build(cert_type, csr, issuer, serial, ttl = nil)
  # Work out if we can even build the requested type of certificate.
  build_extensions = "build_#{cert_type.to_s}_extensions"
  respond_to?(build_extensions) or
    raise ArgumentError, "#{cert_type.to_s} is an invalid certificate type!"

  raise ArgumentError, "Certificate TTL must be an integer" unless ttl.nil? || ttl.is_a?(Fixnum)

  # set up the certificate, and start building the content.
  cert = OpenSSL::X509::Certificate.new

  cert.version    = 2 # X509v3
  cert.subject    = csr.content.subject
  cert.issuer     = issuer.subject
  cert.public_key = csr.content.public_key
  cert.serial     = serial

  # Make the certificate valid as of yesterday, because so many people's
  # clocks are out of sync.  This gives one more day of validity than people
  # might expect, but is better than making every person who has a messed up
  # clock fail, and better than having every cert we generate expire a day
  # before the user expected it to when they asked for "one year".
  cert.not_before = Time.now - (60*60*24)
  cert.not_after  = Time.now + (ttl || Puppet[:ca_ttl])

  add_extensions_to(cert, csr, issuer, send(build_extensions))

  return cert
end