-
-
Notifications
You must be signed in to change notification settings - Fork 84
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add ability to certificate provider to get signed against a CA cert #153
Conversation
öhhhm, no idea why the static validation is failing. has someone suggestions? |
@zilchms the CI report says:
Make sure your bundle is up-to-date and re-generate the doc:
|
@zilchms is this ready for review or still a draft? |
i would say this needs some valdation checks on the inputs and rspec tests. however i have never written any rspec tests and that would need some (or a lot, depending on life stuff) time to finish. |
ok, so. couple of things: there seems to be some more stuff that is inconsistent/ needs to be addressed. As the x509 req command builds the certificate request while building the cert, once we change the command we need to be able to pass the csr to the cert via parameter. This should hopefully be no problem, as the certificate::x509 class already ensures the csr is created. For some of the parameters previously used parameters, the openssl x509 command has no equivalents (as far as i could tell). Maybe someone wants to have a look at that, so I didnt overlook something. For now I am going to have a look at the rspec tests. |
This unfortunately only ductapes the CA signing onto the x509_cert provider. And signing the cert against a CA needs a csr to be specified. I know the solution is not really clean, however it preserves backwards compatibility. To clean this up, the openssl::certificate::x509 class should always hand the csr it generates through to the crt it tries to generate. I can provide the relevant pull-request for this, should this PR go through, just let me know. Edit: currently extkeyusage, altnames and other config specific functionalities dont work in conjunction with ca signing for the openssl::certificate::x509 class. this would require the openssl::certificate::x509 class to hand the csr to the crt provider as mentioned above. |
@bastelfreak @smortex maybe someone of you finds the time to review this? :) |
…and openssl::certificate::x509
…ate comments and removal of unused private key parameter for x509_cert type
Pull Request (PR) description
This Pull requests adresses parts of #152 and should allow users to provide a CA certificate and key to sign generated certificates.
This Pull Request (PR) fixes the following issues
n/a