Permalink
Browse files

apache::vhost-ssl - added option to change the CN of the ssl certific…

…ate.
  • Loading branch information...
1 parent f82fb19 commit c8a06f305f73e3ea3b21c06540e6d9d681d3f7ca @mfournier mfournier committed Mar 26, 2010
Showing with 13 additions and 9 deletions.
  1. +2 −7 files/generate-ssl-cert.sh
  2. +10 −1 manifests/definitions/vhost-ssl.pp
  3. +1 −1 templates/ssleay.cnf.erb
@@ -11,17 +11,12 @@ template=$2
outputdir=$3
days=$4
-TMPFILE=`mktemp` || exit 1
-
-sed -e s#@HostName@#"$hostname"# $template > $TMPFILE
-
export RANDFILE=/dev/random
if [ ! -e $outputdir/$hostname.crt ] || [ ! -e $outputdir/$hostname.key ]; then
- openssl req -config $TMPFILE -new -x509 -nodes -days $days -out $outputdir/$hostname.crt -keyout $outputdir/$hostname.key || exit 1
+ openssl req -config $template -new -x509 -nodes -days $days -out $outputdir/$hostname.crt -keyout $outputdir/$hostname.key || exit 1
chmod 600 $outputdir/$hostname.key
fi
-openssl req -new -key $outputdir/$hostname.key -config $TMPFILE > $outputdir/$hostname.csr || exit 1
+openssl req -new -key $outputdir/$hostname.key -config $template > $outputdir/$hostname.csr || exit 1
-rm -f $TMPFILE || exit 0
@@ -38,6 +38,10 @@
SSLCACertificateFile directive.
- *$certchain*: optional source URL of the CA certificate chain, if needed.
This the certificate passed to the SSLCertificateChainFile directive.
+- *$certcommonname*: set a custom CN field in your SSL certificate. Note that
+ the CN field must match the FQDN of your virtualhost to avoid "certificate
+ name mismatch" errors in the users browsers. Defaults to false, which means
+ that $name will be used as the CN.
- *$days*: validity of the key/cert generated by generate-ssl-cert.sh. Defaults
to 10 years.
- *$publish_csr*: if set to "true", the CSR will be copied in htdocs/$name.csr.
@@ -98,10 +102,12 @@
$certkey=false,
$cacert=false,
$certchain=false,
+ $certcommonname=false,
$days="3650",
$publish_csr=false,
$sslonly=false,
- $ports="all"
+ $ports="all",
+ $ssl_hostname=false
) {
if $apache_ssl_ports {} else { $apache_ports = [80] }
@@ -111,6 +117,9 @@
if (!$sslcert_country) { $sslcert_country = "??" }
if (!$sslcert_organisation) { $sslcert_organisation = "undefined organisation" }
+ if ($certcommonname != false ) { $sslcert_commonname = $certcommonname }
+ else { $sslcert_commonname = $name }
+
# define distro-specific paths and users.
case $operatingsystem {
redhat,CentOS : {
@@ -24,7 +24,7 @@ organizationName = <%= sslcert_organisation %>
<% if has_variable?("sslcert_unit") -%>
organizationalUnitName = <%= sslcert_unit %>
<% end -%>
-commonName = @HostName@
+commonName = <%= sslcert_commonname %>
<% if has_variable?("sslcert_email") -%>
emailAddress = <%= sslcert_email %>
<% end -%>

0 comments on commit c8a06f3

Please sign in to comment.