Ability to generate x509 certificates with extKeyUsage #96
Conversation
|
OK, the build is OK for ruby 2.1.9, but fails for ruby 2.4.1 apparently from previous stuff, I would have little ideas on how to fix at the moment. |
manifests/certificate/x509.pp
Outdated
| @@ -115,7 +131,7 @@ | |||
| $_csr = pick($csr, "${_csr_dir}/${name}.csr") | |||
| $_key = pick($key, "${_key_dir}/${name}.key") | |||
|
|
|||
| if !empty($altnames) { | |||
| if (!empty($altnames)) or (!empty($extkeyusage)) { | |||
There was a problem hiding this comment.
or maybe !empty($altnames+$extkeyusage) would work?
There was a problem hiding this comment.
It does work. Changed as advised, thanks.
templates/cert.cnf.erb
Outdated
| @@ -14,7 +14,7 @@ default_md = sha256 | |||
| default_keyfile = privkey.pem | |||
| distinguished_name = req_distinguished_name | |||
| prompt = no | |||
| <% if @altnames and not @altnames.empty? -%> | |||
| <% if (@altnames and not @altnames.empty?) || (@extkeyusage and not @extkeyusage.empty?) -%> | |||
There was a problem hiding this comment.
It might be easier to create a variable for that (e.g. Boolean use_req) in the Puppet code.
manifests/certificate/x509.pp
Outdated
| @@ -118,6 +118,7 @@ | |||
| Boolean $force = true, | |||
| String $cnf_tpl = 'openssl/cert.cnf.erb', | |||
| Boolean $encrypted = true, | |||
| Boolean $use_req, | |||
There was a problem hiding this comment.
Actually, the idea was that $use_req would be a dynamic variable, not a parameter.
Typically, it would be $use_req = !empty($altnames+$extkeyusage) since that seems to define whether to use req_extensions.
There was a problem hiding this comment.
OK. So I guess I didn't really see the need to have that on top of having req_ext already. Since it is my first attempt, I assumed (wrongly) that the scope of req_ext was not suitable. I re-submitted taking out completely use_req and use the existing req_ext as to me the semantic of the variable is pretty much the same.
Apologies for the whole mess for this little thing. I am however making sure to remember all that stuff for later. Thanks for your guidance.
… it bears the same semantic to me
| @@ -115,7 +131,7 @@ | |||
| $_csr = pick($csr, "${_csr_dir}/${name}.csr") | |||
| $_key = pick($key, "${_key_dir}/${name}.key") | |||
|
|
|||
| if !empty($altnames) { | |||
| if !empty($altnames+$extkeyusage) { | |||
There was a problem hiding this comment.
Ah right, I hadn't seen that this already existed. Although I think $req_ext = !empty($altnames+$extkeyusage) would do exactly the same.
There was a problem hiding this comment.
Yes you're right. I just didn't touch that code in the end, and left it in its previous state.
There was a problem hiding this comment.
OK, let's leave that for later ;-)
Hi,
A small contribution to be able to generate certificates with extkeyusage (i.e. my use was for clientAuth and serverAuth).
Thank you.
Best,
fred