Google has depreciated sha1 for certs

[edestecd]

Google Chrome will stop trusting SHA1 after Jan 2017:
http://googleonlinesecurity.blogspot.com/2014/09/gradually-sunsetting-sha-1.html

Suggest changing the default in: puppet-openssl/templates/cert.cnf.erb
to sha256

[raphink]

@cjeanneret care to comment on that?

[lathiat]

Pull request for this above, this change is working for me.

I was trying to write a test to verify this behaviour, however as it is handled inside the openssl binary we can't simply trap the existing calls as best I can tell. I'd need to re-open the file and verify the signature, and it was not clear for me how to do this.

If someone can guide me to running a command and verifying the output I'd gladly add it in.

Example verification:
openssl req -in subject.csr -noout -text|grep "Signature Algorithm"
Signature Algorithm: sha256WithRSAEncryption

In the mean time if you want to work around this issue, you can simply clone cert.cnf.erb into your module/manifest, and then pass cnf_tpl to openssl::certificate::x509

[cjeanneret]

No real meaning for a unit-test on this particular point. It might have been a variable though, but enforcing good practices is better.
I'm pretty sure this kind of test cannot be done as a "standard unit-test", but with an acceptance test, where puppet is really applied, creating files and so on so that we can check them "in place". Basically, the acceptance test would call ruby native SSL lib in order to get certificate info. Maybe a bit overkill in this case ;).

[lathiat]

Thanks for merging, and the notes about the test.