summaryrefslogtreecommitdiffstats
path: root/puppet
diff options
context:
space:
mode:
authorMark Chappell <mchappel@redhat.com>2015-11-04 12:18:22 +0100
committerJuan Antonio Osorio Robles <jaosorior@redhat.com>2015-11-25 15:16:12 +0200
commit5bfef1a17cc2fd7208a3ef95a046a3820561b102 (patch)
tree2071878b3674291dad3cc4fd8900857cd1c2781c /puppet
parent14c4417e425f832660bd54118112fc991564b38d (diff)
Output the SSL Certificate and Key modulus
Provides a simple mechanism to verify the correct certificates landed. A quick and simple way to verify SSL certificates were generated for a given key is by comparing the modulus of the two. By outputing the key modulus and certificate modulus we offer a way to verify that the right cert and key have been deployed without compromising any of the secrets. Change-Id: I882c9840719a09795ba8057a19b0b3985e036c3c
Diffstat (limited to 'puppet')
-rw-r--r--puppet/controller.yaml6
-rw-r--r--puppet/extraconfig/tls/no-tls.yaml6
-rw-r--r--puppet/extraconfig/tls/tls-cert-inject.yaml14
3 files changed, 26 insertions, 0 deletions
diff --git a/puppet/controller.yaml b/puppet/controller.yaml
index 81fa6c11..05661e70 100644
--- a/puppet/controller.yaml
+++ b/puppet/controller.yaml
@@ -1396,3 +1396,9 @@ outputs:
- {get_attr: [NodeTLSData, deploy_stdout]}
- {get_attr: [ControllerExtraConfigPre, deploy_stdout]}
- {get_param: UpdateIdentifier}
+ tls_key_modulus_md5:
+ description: MD5 checksum of the TLS Key Modulus
+ value: {get_attr: [NodeTLSData, key_modulus_md5]}
+ tls_cert_modulus_md5:
+ description: MD5 checksum of the TLS Certificate Modulus
+ value: {get_attr: [NodeTLSData, cert_modulus_md5]}
diff --git a/puppet/extraconfig/tls/no-tls.yaml b/puppet/extraconfig/tls/no-tls.yaml
index d2dfdfa4..2da209cb 100644
--- a/puppet/extraconfig/tls/no-tls.yaml
+++ b/puppet/extraconfig/tls/no-tls.yaml
@@ -26,3 +26,9 @@ outputs:
value: 'TLS not enabled.'
deployed_ssl_certificate_path:
value: ''
+ key_modulus_md5:
+ description: Key SSL Modulus
+ value: ''
+ cert_modulus_md5:
+ description: Certificate SSL Modulus
+ value: ''
diff --git a/puppet/extraconfig/tls/tls-cert-inject.yaml b/puppet/extraconfig/tls/tls-cert-inject.yaml
index b4564fc7..739a51ad 100644
--- a/puppet/extraconfig/tls/tls-cert-inject.yaml
+++ b/puppet/extraconfig/tls/tls-cert-inject.yaml
@@ -49,6 +49,8 @@ resources:
- name: cert_chain_content
outputs:
- name: chain_md5sum
+ - name: cert_modulus
+ - name: key_modulus
config: |
#!/bin/sh
cat << EOF | tee ${cert_path} > /dev/null
@@ -57,6 +59,12 @@ resources:
chmod 0440 ${cert_path}
chown root:haproxy ${cert_path}
md5sum ${cert_path} > ${heat_outputs_path}.chain_md5sum
+ openssl x509 -noout -modulus -in ${cert_path} \
+ | openssl md5 | cut -c 10- \
+ > ${heat_outputs_path}.cert_modulus
+ openssl rsa -noout -modulus -in ${cert_path} \
+ | openssl md5 | cut -c 10- \
+ > ${heat_outputs_path}.key_modulus
ControllerTLSDeployment:
type: OS::Heat::SoftwareDeployment
@@ -79,3 +87,9 @@ outputs:
deployed_ssl_certificate_path:
description: The location that the TLS certificate was deployed to.
value: {get_param: DeployedSSLCertificatePath}
+ key_modulus_md5:
+ description: MD5 checksum of the Key SSL Modulus
+ value: {get_attr: [ControllerTLSDeployment, key_modulus]}
+ cert_modulus_md5:
+ description: MD5 checksum of the Certificate SSL Modulus
+ value: {get_attr: [ControllerTLSDeployment, cert_modulus]}