class Puppet::SSL::Configuration

Puppet::SSL::Configuration is intended to separate out the following concerns:

CA certificates that authenticate peers (#ca_auth_file)
CA certificates that build trust but do not authenticate (#ca_chain_file)
Who clients trust as distinct from who servers trust. We should not assume one single self signed CA cert for everyone.

Public Instance Methods

ca_auth_certificates() click to toggle source

#ca_auth_certificates returns an Array of OpenSSL::X509::Certificate instances intended to be used in the connection verify_callback. This method loads and parses the {ca_auth_file} from the filesystem.

@api private

@return [Array<OpenSSL::X509::Certificate>]

# File lib/puppet/ssl/configuration.rb, line 40
def ca_auth_certificates
  @ca_auth_certificates ||= decode_cert_bundle(read_file(ca_auth_file))
end

ca_auth_file() click to toggle source

The #ca_auth_file method is intended to return the PEM bundle of CA certs used to authenticate peer connections.

# File lib/puppet/ssl/configuration.rb, line 28
def ca_auth_file
  @ca_auth_file || @localcacert
end

ca_chain_file() click to toggle source

The #ca_chain_file method is intended to return the PEM bundle of CA certs establishing trust but not used for peer authentication.

# File lib/puppet/ssl/configuration.rb, line 22
def ca_chain_file
  @ca_chain_file || ca_auth_file
end

Public Class Methods

new(localcacert, options={}) click to toggle source

# File lib/puppet/ssl/configuration.rb, line 11
def initialize(localcacert, options={})
  if (options[:ca_chain_file] and not options[:ca_auth_file])
    raise ArgumentError, "The CA auth chain is required if the chain file is provided"
  end
  @localcacert = localcacert
  @ca_chain_file = options[:ca_chain_file]
  @ca_auth_file = options[:ca_auth_file]
end