Puppet Function: cd4peadm::generate_cert_chain

Defined in:
lib/puppet/functions/cd4peadm/generate_cert_chain.rb
Function type:
Ruby 4.x API

Overview

cd4peadm::generate_cert_chain(String $hostname)Any

Parameters:

  • hostname (String)

Returns:

  • (Any) 


4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
 
# File 'lib/puppet/functions/cd4peadm/generate_cert_chain.rb', line 4

Puppet::Functions.create_function(:'cd4peadm::generate_cert_chain') do

  dispatch :generate do
    param 'String', :hostname
  end

  def generate(hostname)
    ca_key = create_private_key
    ca_cert = create_self_signed_ca(ca_key, "/CN=CD4PE CA: #{hostname}")
    ca_crl = create_crl_for(ca_cert, ca_key)

    host_key = create_private_key
    host_csr = create_csr(host_key, "/CN=#{hostname}")
    host_cert = sign(hostname, ca_key, ca_cert, host_csr)

    {
      "crl" => "#{ca_crl}",
      "private_key" => "#{host_key}",
      "cert_chain" => "#{host_cert}#{ca_cert}"
    }
  end

  # The minimum recommended length is 2048, 4096 is more future-proof
  PRIVATE_KEY_LENGTH = 4096

  # Used for cert expiration periods. 15 years is chosen arbitrarily,
  # long enough that users won't have to deal with refreshing for
  # a while. The `regen_certificates` plan can be used to refresh
  # certs if needed.
  FIFTEEN_YEARS_SECONDS = 15 * 365 * 24 * 60 * 60

  # Indicates that a certificate can be used as an SSL server certificate
  # http://oidref.com/1.3.6.1.5.5.7.3.1
  SSL_SERVER_CERT_OID = "1.3.6.1.5.5.7.3.1"

  CA_EXTENSIONS = [
    # Marks the cert as a certificate authority, rather than
    # an end entity certificate, used for identifying a server
    ["basicConstraints", "CA:TRUE", true],
    # Defines the purpose of the public key contained in the cert,
    # in this case signing other certs and CRLs
    ["keyUsage", "keyCertSign, cRLSign", true],
    # Used as an ID for this cert
    ["subjectKeyIdentifier", "hash", false],
    # Used to identify the cert used to sign this cert
    ["authorityKeyIdentifier", "keyid:always", false]
  ]
  SERVER_EXTENSIONS = [
    # Defines the purpose of the public key contained in the cert,
    # in this case encryption and signing things (not other certs)
    ["keyUsage", "digitalSignature,keyEncipherment", true],
    # Used as an ID for this cert
    ["subjectKeyIdentifier", "hash", false],
    # Used to identify the cert used to sign this cert.
    # Should match the subjectKeyIdentifier of the CA cert
    ["authorityKeyIdentifier", "keyid:always", false],
    # Additional uses for the public key in this cert,
    # in this case, acting as an SSL server
    ["extendedKeyUsage", "#{SSL_SERVER_CERT_OID}", true],
  ]

  # Recommended signing algorithm as of 2024
  DEFAULT_SIGNING_DIGEST = OpenSSL::Digest::SHA256.new

  def create_private_key
    OpenSSL::PKey::RSA.new(PRIVATE_KEY_LENGTH)
  end

  def create_self_signed_ca(key, name)
    cert = OpenSSL::X509::Certificate.new

    cert.public_key = key.public_key
    cert.subject = OpenSSL::X509::Name.parse(name)
    cert.issuer = cert.subject
    cert.version = 2
    cert.serial = rand(2**128)

    not_before = just_now
    cert.not_before = not_before
    cert.not_after = not_before + FIFTEEN_YEARS_SECONDS

    ext_factory = extension_factory_for(cert, cert)
    CA_EXTENSIONS.each do |ext|
      extension = ext_factory.create_extension(*ext)
      cert.add_extension(extension)
    end

    cert.sign(key, DEFAULT_SIGNING_DIGEST)

    cert
  end

  def create_csr(key, name)
    csr = OpenSSL::X509::Request.new

    csr.public_key = key.public_key
    csr.subject = OpenSSL::X509::Name.parse(name)
    csr.version = 2
    csr.sign(key, DEFAULT_SIGNING_DIGEST)

    csr
  end

  def sign(hostname, ca_key, ca_cert, csr)
    cert = OpenSSL::X509::Certificate.new

    cert.public_key = csr.public_key
    cert.subject = csr.subject
    cert.issuer = ca_cert.subject
    cert.version = 2
    cert.serial = rand(2**128)

    not_before = just_now
    cert.not_before = not_before
    cert.not_after = not_before + FIFTEEN_YEARS_SECONDS

    ext_factory = extension_factory_for(ca_cert, cert)
    SERVER_EXTENSIONS.each do |ext|
      extension = ext_factory.create_extension(*ext)
      cert.add_extension(extension)
    end

    if (hostname =~ Resolv::IPv4::Regex) || (hostname =~ Resolv::IPv6::Regex)
      type_string = 'IP'
    else
      type_string = 'DNS'
    end
    alt_names_ext = ext_factory.create_extension("subjectAltName", "#{type_string}:#{hostname}", false)
    cert.add_extension(alt_names_ext)

    cert.sign(ca_key, DEFAULT_SIGNING_DIGEST)

    cert
  end

  # Returns a Time object for one minute ago,
  # to give some tolerance for clock skew
  def just_now
    Time.now - 60
  end

  def create_crl_for(cert, key)
    crl = OpenSSL::X509::CRL.new
    crl.version = 1
    crl.issuer = cert.subject

    ef = extension_factory_for(cert)
    crl.add_extension(ef.create_extension(["authorityKeyIdentifier", "keyid:always", false]))
    crl.add_extension(OpenSSL::X509::Extension.new("crlNumber", OpenSSL::ASN1::Integer(0)))

    crl.last_update = just_now
    crl.next_update = just_now + FIFTEEN_YEARS_SECONDS
    crl.sign(key, DEFAULT_SIGNING_DIGEST)

    crl
  end

  def extension_factory_for(ca, cert = nil)
    ef = OpenSSL::X509::ExtensionFactory.new
    ef.issuer_certificate  = ca
    ef.subject_certificate = cert if cert

    ef
  end
end