7 # @see {Puppet::SSL::CertificateRevocationList}
11 FIVE_YEARS = 5 * 365*24*60*60
15 crl_content = crl.content
16 update_to_next_crl_number(crl_content)
17 update_valid_time_range_to_start_at(crl_content, Time.now)
18 sign_with(crl_content, ca.host.key.content)
19 Puppet::SSL::CertificateRevocationList.indirection.save(crl)
20 FileUtils.cp(Puppet[:cacrl], Puppet[:hostcrl])
21 Puppet::SSL::CertificateRevocationList.indirection.find("ca")
25 def update_valid_time_range_to_start_at(crl_content, time)
26 # The CRL is not valid if the time of checking == the time of last_update.
27 # So to have it valid right now we need to say that it was updated one second ago.
28 crl_content.last_update = time - 1
29 crl_content.next_update = time + FIVE_YEARS
33 def update_to_next_crl_number(crl_content)
34 crl_content.extensions = with_next_crl_number_from(crl_content, crl_content.extensions)
38 def with_next_crl_number_from(crl_content, existing_extensions)
39 existing_crl_num = existing_extensions.find { |e| e.oid == 'crlNumber' }
40 new_crl_num = existing_crl_num ? existing_crl_num.value.to_i + 1 : 0
41 extensions_without_crl_num = existing_extensions.reject { |e| e.oid == 'crlNumber' }
42 extensions_without_crl_num + [crl_number_of(new_crl_num)]
46 def crl_number_of(number)
47 OpenSSL::X509::Extension.new('crlNumber', OpenSSL::ASN1::Integer(number))
51 def sign_with(crl_content, cakey)
52 crl_content.sign(cakey, OpenSSL::Digest::SHA1.new)