diff --git a/REFERENCE.md b/REFERENCE.md
index 8dcb94a6..4cbbdf3d 100644
--- a/REFERENCE.md
+++ b/REFERENCE.md
@@ -358,7 +358,6 @@ The following parameters are available in the `openssl::certificate::x509` defin
* [`key_mode`](#-openssl--certificate--x509--key_mode)
* [`password`](#-openssl--certificate--x509--password)
* [`force`](#-openssl--certificate--x509--force)
-* [`cnf_tpl`](#-openssl--certificate--x509--cnf_tpl)
* [`cnf_dir`](#-openssl--certificate--x509--cnf_dir)
* [`crt_dir`](#-openssl--certificate--x509--crt_dir)
* [`csr_dir`](#-openssl--certificate--x509--csr_dir)
@@ -542,14 +541,6 @@ if private key changes
Default value: `true`
-##### `cnf_tpl`
-
-Data type: `String`
-
-Specify an other template to generate ".cnf" file.
-
-Default value: `'openssl/cert.cnf.erb'`
-
##### `cnf_dir`
Data type: `Optional[Stdlib::Absolutepath]`
@@ -719,7 +710,7 @@ value for organization
##### `owner`
-Data type: `String[1]`
+Data type: `Variant[String[1],Integer]`
owner for the configuration file
@@ -727,7 +718,7 @@ Default value: `'root'`
##### `group`
-Data type: `String[1]`
+Data type: `Variant[String[1],Integer]`
group for the configuration file
diff --git a/lib/puppet/provider/x509_cert/openssl.rb b/lib/puppet/provider/x509_cert/openssl.rb
index f1c40f16..affb2c24 100644
--- a/lib/puppet/provider/x509_cert/openssl.rb
+++ b/lib/puppet/provider/x509_cert/openssl.rb
@@ -73,7 +73,8 @@ def create
'-req',
'-days', resource[:days],
'-in', resource[:csr],
- '-out', resource[:path]
+ '-out', resource[:path],
+ '-extfile', resource[:template]
]
if resource[:ca]
options << ['-CAcreateserial']
@@ -91,7 +92,7 @@ def create
]
end
options << ['-passin', "pass:#{resource[:password]}"] if resource[:password]
- options << ['-extensions', 'req_ext'] if resource[:req_ext] != :false
+ options << ['-extensions', 'v3_req'] if resource[:req_ext] != :false
openssl options
end
diff --git a/manifests/certificate/x509.pp b/manifests/certificate/x509.pp
index 44b5d276..566b6ae2 100644
--- a/manifests/certificate/x509.pp
+++ b/manifests/certificate/x509.pp
@@ -58,8 +58,6 @@
# @param force
# whether to override certificate and request
# if private key changes
-# @param cnf_tpl
-# Specify an other template to generate ".cnf" file.
# @param cnf_dir
# where cnf should be placed.
# Directory must exist, defaults to $base_dir.
@@ -146,7 +144,6 @@
String $key_mode = '0600',
Optional[String] $password = undef,
Boolean $force = true,
- String $cnf_tpl = 'openssl/cert.cnf.erb',
Boolean $encrypted = true,
Optional[Stdlib::Absolutepath] $ca = undef,
Optional[Stdlib::Absolutepath] $cakey = undef,
@@ -168,43 +165,43 @@
$req_ext = false
}
- file { $_cnf:
- ensure => $ensure,
- owner => $owner,
- group => $group,
- content => template($cnf_tpl),
- }
-
ssl_pkey { $_key:
ensure => $ensure,
password => $password,
size => $key_size,
}
-
- x509_cert { $_crt:
- ensure => $ensure,
- template => $_cnf,
- private_key => $_key,
- days => $days,
- password => $password,
- req_ext => $req_ext,
- force => $force,
- require => File[$_cnf],
- ca => $ca,
- cakey => $cakey,
- csr => $csr,
+ ~> openssl::config { $_cnf:
+ ensure => $ensure,
+ owner => $owner,
+ group => $group,
+ commonname => $commonname,
+ country => $country,
+ state => $state,
+ locality => $locality,
+ organization => $organization,
+ unit => $unit,
+ email => $email,
+ extendedkeyusages => $extkeyusage,
+ subjectaltnames => $altnames,
}
-
- x509_request { $_csr:
+ ~> x509_request { $_csr:
ensure => $ensure,
template => $_cnf,
private_key => $_key,
password => $password,
force => $force,
encrypted => $encrypted,
- require => File[$_cnf],
- subscribe => File[$_cnf],
- notify => X509_cert[$_crt],
+ }
+ ~> x509_cert { $_crt:
+ ensure => $ensure,
+ template => $_cnf,
+ csr => $_csr,
+ days => $days,
+ password => $password,
+ req_ext => $req_ext,
+ force => $force,
+ ca => $ca,
+ cakey => $cakey,
}
# Set owner of all files
diff --git a/manifests/config.pp b/manifests/config.pp
index 7ee64d48..ba70064c 100644
--- a/manifests/config.pp
+++ b/manifests/config.pp
@@ -51,8 +51,8 @@
String[1] $country,
String[1] $organization,
Enum['absent','present'] $ensure = 'present',
- String[1] $owner = 'root',
- String[1] $group = 'root',
+ Variant[String[1],Integer] $owner = 'root',
+ Variant[String[1],Integer] $group = 'root',
String[1] $mode = '0640',
Optional[String[1]] $state = undef,
Optional[String[1]] $locality = undef,
diff --git a/spec/defines/openssl_certificate_x509_spec.rb b/spec/defines/openssl_certificate_x509_spec.rb
index bec4434d..48119b22 100644
--- a/spec/defines/openssl_certificate_x509_spec.rb
+++ b/spec/defines/openssl_certificate_x509_spec.rb
@@ -407,7 +407,7 @@
is_expected.to contain_x509_cert('/etc/ssl/certs/foo.crt').with(
ensure: 'present',
template: '/etc/ssl/certs/foo.cnf',
- private_key: '/etc/ssl/certs/foo.key',
+ csr: '/etc/ssl/certs/foo.csr',
days: 365,
password: nil,
force: true
@@ -486,9 +486,15 @@
).with_content(
%r{emailAddress\s+=\s+contact@foo\.com}
).with_content(
- %r{subjectAltName\s+=\s+"DNS: a\.com, DNS: b\.com, DNS: c\.com"}
+ %r{extendedKeyUsage\s+=\s+serverAuth,\s+clientAuth}
+ ).with_content(
+ %r{subjectAltName\s+=\s+@alt_names}
+ ).with_content(
+ %r{DNS\.0\s+=\s+a\.com}
).with_content(
- %r{extendedKeyUsage\s+=\s+"serverAuth, clientAuth"}
+ %r{DNS\.1\s+=\s+b\.com}
+ ).with_content(
+ %r{DNS\.2\s+=\s+c\.com}
)
}
@@ -504,7 +510,7 @@
is_expected.to contain_x509_cert('/tmp/foobar/foo.crt').with(
ensure: 'present',
template: '/tmp/foobar/foo.cnf',
- private_key: '/tmp/foobar/foo.key',
+ csr: '/tmp/foobar/foo.csr',
days: 4567,
password: '5r$}^',
force: false
diff --git a/spec/unit/puppet/provider/x509_cert/openssl_spec.rb b/spec/unit/puppet/provider/x509_cert/openssl_spec.rb
index 7cc759c7..2ce29fb9 100644
--- a/spec/unit/puppet/provider/x509_cert/openssl_spec.rb
+++ b/spec/unit/puppet/provider/x509_cert/openssl_spec.rb
@@ -34,7 +34,7 @@
'-days', 3650,
'-key', '/tmp/foo.key',
'-out', '/tmp/foo.crt',
- ['-extensions', 'req_ext']
+ ['-extensions', 'v3_req']
])
resource.provider.create
end
@@ -51,7 +51,7 @@
'-key', '/tmp/foo.key',
'-out', '/tmp/foo.crt',
['-passin', 'pass:2x6${'],
- ['-extensions', 'req_ext']
+ ['-extensions', 'v3_req']
])
resource.provider.create
end
@@ -69,10 +69,11 @@
'-days', 3650,
'-in', '/tmp/foo.csr',
'-out', '/tmp/foo.crt',
+ '-extfile', '/tmp/foo.cnf',
['-CAcreateserial'],
['-CA', '/tmp/foo-ca.crt'],
['-CAkey', '/tmp/foo-ca.key'],
- ['-extensions', 'req_ext']
+ ['-extensions', 'v3_req']
])
resource.provider.create
end
diff --git a/templates/cert.cnf.erb b/templates/cert.cnf.erb
deleted file mode 100644
index 5f1fed13..00000000
--- a/templates/cert.cnf.erb
+++ /dev/null
@@ -1,46 +0,0 @@
-# file managed by puppet
-#
-# SSLeay example configuration file.
-#
-
-# This definition stops the following lines choking if HOME isn't
-# defined.
-HOME = .
-RANDFILE = $ENV::HOME/.rnd
-
-[ req ]
-default_bits = 2048
-default_md = sha256
-default_keyfile = privkey.pem
-distinguished_name = req_distinguished_name
-prompt = no
-<% if @req_ext == true -%>
-req_extensions = req_ext
-<% end -%>
-
-[ req_distinguished_name ]
-countryName = <%= @country %>
-<% unless @state.nil? -%>
-stateOrProvinceName = <%= @state %>
-<% end -%>
-<% unless @locality.nil? -%>
-localityName = <%= @locality %>
-<% end -%>
-organizationName = <%= @organization %>
-<% unless @unit.nil? -%>
-organizationalUnitName = <%= @unit %>
-<% end -%>
-commonName = <%= @commonname %>
-<% unless @email.nil? -%>
-emailAddress = <%= @email %>
-<% end -%>
-
-<% if @req_ext == true -%>
-[ req_ext ]
-<% unless @altnames.empty? -%>
-subjectAltName = "<%= @altnames.collect! {|i| "DNS: #{i}" }.join(', ') -%>"
-<% end -%>
-<% unless @extkeyusage.empty? -%>
-extendedKeyUsage = "<%= @extkeyusage.collect! {|x| "#{x}" }.join(', ') -%>"
-<% end -%>
-<% end -%>