diff options
author | Mark Chappell <mchappel@redhat.com> | 2015-11-04 12:18:22 +0100 |
---|---|---|
committer | Juan Antonio Osorio Robles <jaosorior@redhat.com> | 2015-11-25 15:16:12 +0200 |
commit | 5bfef1a17cc2fd7208a3ef95a046a3820561b102 (patch) | |
tree | 2071878b3674291dad3cc4fd8900857cd1c2781c /puppet | |
parent | 14c4417e425f832660bd54118112fc991564b38d (diff) |
Output the SSL Certificate and Key modulus
Provides a simple mechanism to verify the correct certificates
landed.
A quick and simple way to verify SSL certificates were generated for
a given key is by comparing the modulus of the two. By outputing
the key modulus and certificate modulus we offer a way to verify
that the right cert and key have been deployed without compromising
any of the secrets.
Change-Id: I882c9840719a09795ba8057a19b0b3985e036c3c
Diffstat (limited to 'puppet')
-rw-r--r-- | puppet/controller.yaml | 6 | ||||
-rw-r--r-- | puppet/extraconfig/tls/no-tls.yaml | 6 | ||||
-rw-r--r-- | puppet/extraconfig/tls/tls-cert-inject.yaml | 14 |
3 files changed, 26 insertions, 0 deletions
diff --git a/puppet/controller.yaml b/puppet/controller.yaml index 81fa6c11..05661e70 100644 --- a/puppet/controller.yaml +++ b/puppet/controller.yaml @@ -1396,3 +1396,9 @@ outputs: - {get_attr: [NodeTLSData, deploy_stdout]} - {get_attr: [ControllerExtraConfigPre, deploy_stdout]} - {get_param: UpdateIdentifier} + tls_key_modulus_md5: + description: MD5 checksum of the TLS Key Modulus + value: {get_attr: [NodeTLSData, key_modulus_md5]} + tls_cert_modulus_md5: + description: MD5 checksum of the TLS Certificate Modulus + value: {get_attr: [NodeTLSData, cert_modulus_md5]} diff --git a/puppet/extraconfig/tls/no-tls.yaml b/puppet/extraconfig/tls/no-tls.yaml index d2dfdfa4..2da209cb 100644 --- a/puppet/extraconfig/tls/no-tls.yaml +++ b/puppet/extraconfig/tls/no-tls.yaml @@ -26,3 +26,9 @@ outputs: value: 'TLS not enabled.' deployed_ssl_certificate_path: value: '' + key_modulus_md5: + description: Key SSL Modulus + value: '' + cert_modulus_md5: + description: Certificate SSL Modulus + value: '' diff --git a/puppet/extraconfig/tls/tls-cert-inject.yaml b/puppet/extraconfig/tls/tls-cert-inject.yaml index b4564fc7..739a51ad 100644 --- a/puppet/extraconfig/tls/tls-cert-inject.yaml +++ b/puppet/extraconfig/tls/tls-cert-inject.yaml @@ -49,6 +49,8 @@ resources: - name: cert_chain_content outputs: - name: chain_md5sum + - name: cert_modulus + - name: key_modulus config: | #!/bin/sh cat << EOF | tee ${cert_path} > /dev/null @@ -57,6 +59,12 @@ resources: chmod 0440 ${cert_path} chown root:haproxy ${cert_path} md5sum ${cert_path} > ${heat_outputs_path}.chain_md5sum + openssl x509 -noout -modulus -in ${cert_path} \ + | openssl md5 | cut -c 10- \ + > ${heat_outputs_path}.cert_modulus + openssl rsa -noout -modulus -in ${cert_path} \ + | openssl md5 | cut -c 10- \ + > ${heat_outputs_path}.key_modulus ControllerTLSDeployment: type: OS::Heat::SoftwareDeployment @@ -79,3 +87,9 @@ outputs: deployed_ssl_certificate_path: description: The location that the TLS certificate was deployed to. value: {get_param: DeployedSSLCertificatePath} + key_modulus_md5: + description: MD5 checksum of the Key SSL Modulus + value: {get_attr: [ControllerTLSDeployment, key_modulus]} + cert_modulus_md5: + description: MD5 checksum of the Certificate SSL Modulus + value: {get_attr: [ControllerTLSDeployment, cert_modulus]} |