Puppet CA subjectAltName support (RFC 3280 4.2.1.7, 1. paragraph)

init.pp

file { "puppet-ca-subjectaltname-patch":
  path   => "${::rubysitedir}/puppet/vendor/load_ca_hack.rb",
  mode   => '0644',
  source => "puppet:///files/puppet/load_ca_hack.rb",
  notify => Service[puppetmaster],
}

load_ca_patch.rb

require 'puppet/ssl/certificate_factory'

# subjectAltName must always be used (RFC 3280 4.2.1.7, 1. paragraph)
# patch ensures it does, and if subject-alt-name is specified, it
# always includes the cert.name (hostname)

module Puppet::SSL::CertificateFactory
  class <<self
    alias __add_extensions_to add_extensions_to
    private :__add_extensions_to
  end

  def self.add_extensions_to(cert, csr, issuer, extensions)
    unless issuer.is_a?(OpenSSL::X509::Request)
      requested_exts = csr.request_extensions.inject({}) do |hash, re|
        if re["oid"] == 'subjectAltName'
          names = re["value"].split(/\s*,\s*/).map(&:strip) + ["DNS:#{csr.name}"]
          re["value"] = names.sort.uniq.join(", ")
        end
        hash[re["oid"]] = [re["value"], re["critical"]]
        hash
      end
      unless requested_exts.key?("subjectAltName")
        extensions["subjectAltName"] = ["DNS:#{csr.name}", nil]
      end
    end
    self.__add_extensions_to(cert, csr, issuer, extensions)
  end
end