Skip to content

Instantly share code, notes, and snippets.

@h0tw1r3
Last active Aug 3, 2017
Embed
What would you like to do?
Puppet CA subjectAltName support (RFC 3280 4.2.1.7, 1. paragraph)
file { "puppet-ca-subjectaltname-patch":
path => "${::rubysitedir}/puppet/vendor/load_ca_hack.rb",
mode => '0644',
source => "puppet:///files/puppet/load_ca_hack.rb",
notify => Service[puppetmaster],
}
require 'puppet/ssl/certificate_factory'
# subjectAltName must always be used (RFC 3280 4.2.1.7, 1. paragraph)
# patch ensures it does, and if subject-alt-name is specified, it
# always includes the cert.name (hostname)
module Puppet::SSL::CertificateFactory
class <<self
alias __add_extensions_to add_extensions_to
private :__add_extensions_to
end
def self.add_extensions_to(cert, csr, issuer, extensions)
unless issuer.is_a?(OpenSSL::X509::Request)
requested_exts = csr.request_extensions.inject({}) do |hash, re|
if re["oid"] == 'subjectAltName'
names = re["value"].split(/\s*,\s*/).map(&:strip) + ["DNS:#{csr.name}"]
re["value"] = names.sort.uniq.join(", ")
end
hash[re["oid"]] = [re["value"], re["critical"]]
hash
end
unless requested_exts.key?("subjectAltName")
extensions["subjectAltName"] = ["DNS:#{csr.name}", nil]
end
end
self.__add_extensions_to(cert, csr, issuer, extensions)
end
end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment