If you plan on testing puppet autosign scripts, it is useful to generate test certificate signing requests (CSR) to verify that your script works. There is not much information online for this, so I had to go review documentation for extensions and requests. Below is what I have learned.

CSR Configuration File

First, you need to make your CSR config file for OpenSSL. You can use the example below, and setup extensions per puppet's documentation.

[ req ]
default_bits       = 4096
policy             = policy_match
distinguished_name = req_distinguished_name
req_extensions     = v3_req
prompt             = no
attributes         = req_attributes

[ policy_match ]
countryName             = optional
stateOrProvinceName     = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ req_distinguished_name ]
commonName = 0842e974-ca99-43b5-94b5-251b1fd33f62

[ v3_req ]
nsComment               = "Puppet Server Internal Certificate" = ASN1:UTF8String:0842e974-ca99-43b5-94b5-251b1fd33f62 = ASN1:UTF8String:project
basicConstraints        = critical,CA:false
extendedKeyUsage        = serverAuth, clientAuth
keyUsage                = digitalSignature, keyEncipherment

[ req_attributes ]
challengePassword = "ASuperSecretPassword"

Generating the CSR

openssl genrsa -out puppet.key 4096
openssl req -config openssl-csr.conf -new -key puppet.key -out puppet.csr

Testing CSR against script

cat puppet.csr | /etc/puppetlabs/code/environments/production/scripts/autosign.rb; echo $?

Signing a CSR to test certificate renewals

openssl x509 -extfile v3.ext -req -days 15 -in puppet.csr -CA /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem -CAkey /etc/puppetlabs/puppet/ssl/ca/ca_key.pem -CAcreateserial -out puppet.crt -sha256

Previous Post Next Post