password encryption: switch from des3->aes-256-cbc

This updates the algorithm for password encryption in certificates from
the outdated des3 to aes-256-cbc.

lib/puppet/provider/ssl_pkey/openssl.rb

@@ -25,7 +25,7 @@ def self.generate_key(resource)
 
   def self.to_pem(resource, key)
     if resource[:password]
-      cipher = OpenSSL::Cipher.new('des3')
+      cipher = OpenSSL::Cipher.new('aes-256-cbc')
       key.to_pem(cipher, resource[:password])
     else
       key.to_pem

spec/unit/puppet/provider/ssl_pkey/openssl_spec.rb

@@ -42,7 +42,7 @@
       it 'creates with given password' do
         resource[:password] = '2x$5{'
         allow(OpenSSL::PKey::RSA).to receive(:new).with(2048).and_return(key)
-        allow(OpenSSL::Cipher).to receive(:new).with('des3')
+        allow(OpenSSL::Cipher).to receive(:new).with('aes-256-cbc')
         expect(File).to receive(:write).with('/tmp/foo.key', kind_of(String))
         resource.provider.create
       end
@@ -72,7 +72,7 @@
         resource[:authentication] = :rsa
         resource[:password] = '2x$5{'
         allow(OpenSSL::PKey::RSA).to receive(:new).with(2048).and_return(key)
-        allow(OpenSSL::Cipher).to receive(:new).with('des3')
+        allow(OpenSSL::Cipher).to receive(:new).with('aes-256-cbc')
         expect(File).to receive(:write).with('/tmp/foo.key', kind_of(String))
         resource.provider.create
       end
@@ -102,7 +102,7 @@
         resource[:authentication] = :dsa
         resource[:password] = '2x$5{'
         allow(OpenSSL::PKey::DSA).to receive(:new).with(2048).and_return(key)
-        allow(OpenSSL::Cipher).to receive(:new).with('des3')
+        allow(OpenSSL::Cipher).to receive(:new).with('aes-256-cbc')
         expect(File).to receive(:write).with('/tmp/foo.key', kind_of(String))
         resource.provider.create
       end