diff options
-rw-r--r-- | lib/leap_cli/commands/ca.rb | 24 |
1 files changed, 11 insertions, 13 deletions
diff --git a/lib/leap_cli/commands/ca.rb b/lib/leap_cli/commands/ca.rb index d3f864a..5d68221 100644 --- a/lib/leap_cli/commands/ca.rb +++ b/lib/leap_cli/commands/ca.rb @@ -24,7 +24,7 @@ module LeapCli; module Commands 'Sometimes, you might want to force the generation of a new certificate, ' + 'such as in the cases where you have changed a CA parameter for server certificates, like bit size or digest hash. ' + 'In this case, use --force. If <node-filter> is empty, this command will apply to all nodes.' - cert.arg_name '<node-filter>' + cert.arg_name 'FILTER' cert.command :update do |update| update.switch 'force', :desc => 'Always generate new certificates', :negatable => false update.action do |global_options,options,args| @@ -81,38 +81,36 @@ module LeapCli; module Commands # http://www.redkestrel.co.uk/Articles/CSR.html # cert.desc "Creates a CSR for use in buying a commercial X.509 certificate." - cert.long_desc "The CSR created is for the for the provider's primary domain. The properties used for this CSR come from `provider.ca.server_certificates`." + cert.long_desc "Unless specified, the CSR is created for the provider's primary domain. The properties used for this CSR come from `provider.ca.server_certificates`." cert.command :csr do |csr| - #c.switch 'sign', :desc => 'additionally creates a cert that is signed by your own CA (recommended only for testing)', :negatable => false + csr.flag 'domain', :arg_name => 'DOMAIN', :desc => 'Specify what domain to create the CSR for.', :default_value => 'primary domain' csr.action do |global_options,options,args| assert_config! 'provider.domain' assert_config! 'provider.name' assert_config! 'provider.default_language' assert_config! 'provider.ca.server_certificates.bit_size' assert_config! 'provider.ca.server_certificates.digest' - assert_files_missing! [:commercial_key, provider.domain], [:commercial_csr, provider.domain], :msg => 'If you really want to create a new key and CSR, remove these files first.' - #if options[:sign] - # assert_files_exist! :ca_cert, :ca_key, :msg => 'Run `leap cert ca` to create them' - #end + domain = options[:domain] || provider.domain + assert_files_missing! [:commercial_key, domain], [:commercial_csr, domain], :msg => 'If you really want to create a new key and CSR, remove these files first.' # RSA key keypair = CertificateAuthority::MemoryKeyMaterial.new log :generating, "%s bit RSA key" % provider.ca.server_certificates.bit_size do keypair.generate_key(provider.ca.server_certificates.bit_size) - write_file! [:commercial_key, provider.domain], keypair.private_key.to_pem + write_file! [:commercial_key, domain], keypair.private_key.to_pem end # CSR dn = CertificateAuthority::DistinguishedName.new csr = CertificateAuthority::SigningRequest.new - dn.common_name = provider.domain + dn.common_name = domain dn.organization = provider.name[provider.default_language] log :generating, "CSR with commonName => '%s', organization => '%s'" % [dn.common_name, dn.organization] do csr.distinguished_name = dn csr.key_material = keypair csr.digest = provider.ca.server_certificates.digest request = csr.to_x509_csr - write_file! [:commercial_csr, provider.domain], csr.to_pem + write_file! [:commercial_csr, domain], csr.to_pem end # Sign using our own CA, for use in testing but hopefully not production. @@ -121,13 +119,13 @@ module LeapCli; module Commands #if options[:sign] log :generating, "self-signed x509 server certificate for testing purposes" do cert = csr.to_cert - cert.serial_number.number = cert_serial_number(provider.domain) + cert.serial_number.number = cert_serial_number(domain) cert.not_before = yesterday cert.not_after = years_from_yesterday(1) cert.parent = ca_root cert.sign! domain_test_signing_profile - write_file! [:commercial_cert, provider.domain], cert.to_pem - log "please replace this file with the real certificate you get from a CA using #{Path.relative_path([:commercial_csr, provider.domain])}" + write_file! [:commercial_cert, domain], cert.to_pem + log "please replace this file with the real certificate you get from a CA using #{Path.relative_path([:commercial_csr, domain])}" end #end |