use private key when creating x509 cert #170
Conversation
If there is a CAKey then use that, otherwise use a private key.
|
Sorry to get back to this so late. Why would you want to pass the key parameter when you are already passing the csr parameter? My understanding is that we have 2 cases here:
Am i wrong there? Do you see this differently? |
|
It's been some time since I worked on this at my job but I believe this code change was for the first use case you mentioned. Without the change, puppet happily attempt to create a certificate with OpenSSL but will error because no key was specified. |
| @@ -80,6 +80,8 @@ def create | |||
| options << ['-CAcreateserial'] | |||
| options << ['-CA', resource[:ca]] | |||
| options << ['-CAkey', resource[:cakey]] | |||
| else | |||
| options << ['-key', resource[:private_key]] | |||
There was a problem hiding this comment.
In 268ae1c the -signkey option was added, which is an alias for -key. So I think this is now redundant
| ensure => $ensure, | ||
| template => $_cnf, | ||
| csr => $_csr, | ||
| private_key => $_key, |
There was a problem hiding this comment.
This isn't part of the current code. It happens to work now because private_key defaults to the same value as $_key defaults to. If a user passes in $key it will fail, so this is still needed.
Pull Request (PR) description
Fixes usage of
openssl::certificate::x509where the private key was not passed into OpenSSL correctly. This could collide with L83 inlib/puppet/provider/x509_cert/openssl.rbbut I don't have time to test this use case.