chef-ssl-client 1.0.0 → 1.0.4

data/bin/chef-ssl

@@ -1,6 +1,8 @@
 require "rubygems"
-require "commander/import"
+# Load Chef before Commander, to avoid calls to Mixlib::Config going
+# to Commmander's imports.
 require "chef-ssl/client"
+require "commander/import"
 
 HighLine.colorize_strings
 

data/lib/chef-ssl/client.rb

@@ -4,6 +4,7 @@ require 'json'
 require 'openssl'
 require 'digest/sha2'
 require 'active_support/hash_with_indifferent_access'
+require 'chef/knife'
 require 'chef/config'
 require 'chef/node'
 
@@ -16,11 +17,20 @@ module ChefSSL
   class Client
 
     def initialize
-      path = File.expand_path('knife.rb', '~/.chef')
-      Chef::Config.from_file(path)
+      Chef::Knife.new.tap do |knife|
+        # Set the log-level, knife style. This equals :error level
+        Chef::Config[:verbosity] = knife.config[:verbosity] ||= 0
+        knife.configure_chef
+      end
+
       Spice.reset
+
+      # avoid Spice issue if chef_server_url has a trailing slash.
+      chef_server_url = Chef::Config.chef_server_url
+      chef_server_url.gsub!(/\/$/, '')
+
       Spice.setup do |s|
-        s.server_url = Chef::Config.chef_server_url
+        s.server_url = chef_server_url
         s.client_name = Chef::Config.node_name
         s.client_key = Spice.read_key_file(File.expand_path(Chef::Config.client_key))
       end

data/lib/chef-ssl/client.rb~

@@ -0,0 +1,64 @@
+require 'spice'
+require 'eassl'
+require 'json'
+require 'openssl'
+require 'digest/sha2'
+require 'active_support/hash_with_indifferent_access'
+require 'chef/config'
+require 'chef/node'
+
+require 'chef-ssl/client/version'
+require 'chef-ssl/client/request'
+require 'chef-ssl/client/signing_authority'
+require 'chef-ssl/client/issued_certificate'
+
+module ChefSSL
+  class Client
+
+    def initialize
+      path = File.expand_path('knife.rb', '~/.chef')
+      Chef::Config.from_file(path)
+      Spice.reset
+      Spice.setup do |s|
+        s.server_url = Chef::Config.chef_server_url
+        s.client_name = Chef::Config.node_name
+        s.client_key = Spice.read_key_file(File.expand_path(Chef::Config.client_key))
+      end
+    end
+
+    def self.load_authority(options)
+      SigningAuthority.load(
+        :path => options[:path],
+        :password => options[:password]
+      )
+    end
+
+    def ca_search(ca=nil)
+      if ca
+        nodes = Spice.nodes("csr_outbox_*_ca:#{ca}")
+      else
+        nodes = Spice.nodes("csr_outbox_*")
+      end
+      nodes.each do |node|
+        node.normal['csr_outbox'].each do |id, data|
+          next if data['csr'].nil? # XXX warn, raise?
+          yield Request.new(node.name, data)
+        end
+      end
+    end
+
+    def common_name_search(name)
+      name_sha = Digest::SHA256.new << name
+      cert_id = name_sha.to_s
+      nodes = Spice.nodes("csr_outbox_*_id:#{cert_id}")
+      nodes.each do |node|
+        node.normal['csr_outbox'].each do |id, data|
+          next unless data['id'] == cert_id
+          next if data['csr'].nil? # XXX warn, raise?
+          yield Request.new(node.name, data)
+        end
+      end
+    end
+
+  end
+end

data/lib/chef-ssl/client/request.rb

@@ -31,11 +31,7 @@ module ChefSSL
       def self.create(key, type, options)
         name = EaSSL::CertificateName.new(options)
         csr  = EaSSL::SigningRequest.new(:name => name, :key => key)
-
-        data = {
-          :type => type
-        }
-        self.new('localhost', data, csr)
+        self.new('localhost', { 'type' => type }, csr)
       end
     end
   end

data/lib/chef-ssl/client/request.rb~

@@ -0,0 +1,42 @@
+module ChefSSL
+  class Client
+    class Request
+
+      attr_reader :host, :csr, :type, :ca, :id, :name, :key, :days
+
+      def initialize(host, data, csr=nil)
+        @host = host
+        @csr = csr || EaSSL::SigningRequest.new.load(data['csr'])
+        @type = data['type']
+        @ca = data['ca']
+        @id = data['id']
+        @name = data['name']
+        @key = data['key']
+        @days = data['days'] || (365 * 5)
+      end
+
+      def subject
+        @csr.subject.to_s
+      end
+
+      def to_pem
+        @csr.to_pem
+      end
+
+      def issue_certificate(cert_text)
+        cert = EaSSL::Certificate.new({}).load(cert_text)
+        IssuedCertificate.new(self, cert)
+      end
+
+      def self.create(key, type, options)
+        name = EaSSL::CertificateName.new(options)
+        csr  = EaSSL::SigningRequest.new(:name => name, :key => key)
+
+        data = {
+          'type' => type
+        }
+        self.new('localhost', data, csr)
+      end
+    end
+  end
+end

data/lib/chef-ssl/client/signing_authority.rb~

@@ -0,0 +1,83 @@
+module ChefSSL
+  class Client
+    class SigningAuthority
+
+      def self.load(options)
+        ca = EaSSL::CertificateAuthority.load(
+          :ca_path => options[:path],
+          :ca_password => options[:password]
+          )
+        self.new(ca)
+      end
+
+      def initialize(ca)
+        @ca = ca
+      end
+
+      def dn
+        @ca.certificate.subject.to_s
+      end
+
+      def sign(req)
+        cert = @ca.create_certificate(req.csr, req.type, req.days)
+        IssuedCertificate.new(req, cert, @ca)
+      end
+
+      def self.create(name, path, passphrase)
+        config = {
+          :ca_dir => path,
+          :password => passphrase,
+          :ca_rsa_key_length => 1024,
+          :ca_cert_days => 3650,
+          :name => name
+        }
+        config[:serial_file] = File.join(config[:ca_dir], 'serial.txt')
+        config[:keypair_file] = File.join(config[:ca_dir], 'cakey.pem')
+        config[:cert_file] = File.join(config[:ca_dir], 'cacert.pem')
+
+        Dir.mkdir config[:ca_dir]
+        Dir.mkdir File.join(config[:ca_dir], 'private'), 0700
+        Dir.mkdir File.join(config[:ca_dir], 'newcerts')
+        Dir.mkdir File.join(config[:ca_dir], 'crl')
+
+        File.open config[:serial_file], 'w' do |f| f << '1' end
+
+        keypair = OpenSSL::PKey::RSA.new config[:ca_rsa_key_length]
+
+        cert = OpenSSL::X509::Certificate.new
+        cert.subject = cert.issuer = config[:name]
+        cert.not_before = Time.now
+        cert.not_after = Time.now + config[:ca_cert_days] * 24 * 60 * 60
+        cert.public_key = keypair.public_key
+        cert.serial = 0x0
+        cert.version = 2 # X509v3
+
+        ef = OpenSSL::X509::ExtensionFactory.new
+        ef.subject_certificate = cert
+        ef.issuer_certificate = cert
+        cert.extensions = [
+          ef.create_extension("basicConstraints", "CA:TRUE", true),
+          ef.create_extension("nsComment", "Ruby/OpenSSL/chef-ssl Generated Certificate"),
+          ef.create_extension("subjectKeyIdentifier", "hash"),
+          ef.create_extension("keyUsage", "cRLSign,keyCertSign", true),
+        ]
+        cert.add_extension ef.create_extension("authorityKeyIdentifier",
+          "keyid:always,issuer:always")
+        cert.sign keypair, OpenSSL::Digest::SHA1.new
+
+        keypair_export = keypair.export OpenSSL::Cipher::DES.new(:EDE3, :CBC),
+        config[:password]
+
+        File.open config[:keypair_file], "w", 0400 do |fp|
+          fp << keypair_export
+        end
+
+        File.open config[:cert_file], "w", 0644 do |f|
+          f << cert.to_pem
+        end
+      end
+    end
+  end
+end
+
+

data/lib/chef-ssl/client/version.rb

@@ -1,5 +1,5 @@
 module ChefSSL
   class Client
-    VERSION = '1.0.0'
+    VERSION = '1.0.4'
   end
 end

data/lib/chef-ssl/client/version.rb~

@@ -0,0 +1,5 @@
+module ChefSSL
+  class Client
+    VERSION = '1.0.3'
+  end
+end

data/lib/chef-ssl/command.rb

@@ -55,11 +55,11 @@ command :issue do |c|
     req = ChefSSL::Client::Request.create(key, options.type, name)
     cert = authority.sign(req)
 
-    puts "#{'Key:'.cyan}"
-    puts HighLine.color(key.private_key.to_s, :bright_black)
-    puts
-    puts "#{'Certificate:'.cyan} SHA1 Fingerprint=#{cert.sha1_fingerprint}"
-    puts HighLine.color(cert.to_pem, :bright_black)
+    say "#{'Key:'.cyan}"
+    say HighLine.color(key.private_key.to_s, :bright_black)
+    say ""
+    say "#{'Certificate:'.cyan} SHA1 Fingerprint=#{cert.sha1_fingerprint}"
+    say HighLine.color(cert.to_pem, :bright_black)
   end
 end
 
@@ -67,35 +67,35 @@ command :makeca do |c|
   c.syntax = "chef-ssl makeca [options]"
   c.description = "Creates a new CA"
   c.example "Upload cert for CSR www.venda.com",
-            "chef-ssl makeca --ca-name '/CN=My New CA' --ca-path ./newCA"
+            "chef-ssl makeca --dn '/CN=My New CA' --ca-path ./newCA"
 
   c.option "--ca-path=STRING", String, "the path to the new CA"
-  c.option "--ca-name=STRING", String, "the distinguished name of the new CA"
+  c.option "--dn=STRING", String, "the distinguished name of the new CA"
 
   c.action do |args, options|
     begin
-      name = OpenSSL::X509::Name.parse(options.ca_name)
+      name = OpenSSL::X509::Name.parse(options.dn)
     rescue NoMethodError
-      raise "--ca-name is required and must be a distinguished name"
+      raise "--dn is required and must be a distinguished name"
     rescue TypeError
-      raise "--ca-name is required and must be a distinguished name"
+      raise "--dn is required and must be a distinguished name"
     rescue OpenSSL::X509::NameError => e
-      raise "--ca-name must specify a valid DN: #{e.message}"
+      raise "--dn must specify a valid DN: #{e.message}"
     end
 
     raise "CA path is required" unless options.ca_path
     raise "CA path must not already exist" if Dir.glob(options.ca_path).length > 0
 
-    puts "#{'New CA DN'.cyan}: #{name.to_s}"
-    puts
+    say "#{'New CA DN'.cyan}: #{name.to_s}"
+    say ""
 
     passphrase = ask("Enter new CA passphrase:  ") { |q| q.echo = false }
     passphrase2 = ask("Re-enter new CA passphrase:  ") { |q| q.echo = false }
     raise "passphrases do not match" unless passphrase == passphrase2
 
-    print "\n#{'Creating new CA'.cyan}: "
+    say "\n#{'Creating new CA'.cyan}: "
     ChefSSL::Client::SigningAuthority.create(name, options.ca_path, passphrase)
-    puts "done"
+    say "done"
   end
 end
 
@@ -110,17 +110,17 @@ command :search do |c|
   c.action do |args, options|
     client = ChefSSL::Client.new
 
-    puts "#{'Search CA'.cyan}: #{options.ca_name}" if options.ca_name
+    say "#{'Search CA'.cyan}: #{options.ca_name}" if options.ca_name
 
     client.ca_search(options.ca_name) do |req|
-      puts
-      puts "#{'     Node Hostname'.cyan}: #{req.host}"
-      puts "#{'  Certificate Type'.cyan}: #{req.type.bold}"
-      puts "#{'    Certificate DN'.cyan}: #{req.subject.bold}"
-      puts "#{'      Requested CA'.cyan}: #{req.ca.bold}"
-      puts "#{'Requested Validity'.cyan}: #{req.days.to_s.bold} days"
-      puts
-      puts HighLine.color(req.to_pem, :bright_black)
+      say ""
+      say "#{'     Node Hostname'.cyan}: #{req.host}"
+      say "#{'  Certificate Type'.cyan}: #{req.type.bold}"
+      say "#{'    Certificate DN'.cyan}: #{req.subject.bold}"
+      say "#{'      Requested CA'.cyan}: #{req.ca.bold}"
+      say "#{'Requested Validity'.cyan}: #{req.days.to_s.bold} days"
+      say ""
+      say HighLine.color(req.to_pem, :bright_black)
     end
   end
 end
@@ -139,17 +139,17 @@ command :sign do |c|
 
     client = ChefSSL::Client.new
 
-    puts "#{'Search name'.cyan}: #{options.name}"
+    say "#{'Search name'.cyan}: #{options.name}"
 
     client.common_name_search(options.name) do |req|
-      puts
-      puts "#{'     Node Hostname'.cyan}: #{req.host}"
-      puts "#{'  Certificate Type'.cyan}: #{req.type.bold}"
-      puts "#{'    Certificate DN'.cyan}: #{req.subject.bold}"
-      puts "#{'      Requested CA'.cyan}: #{req.ca.bold}"
-      puts "#{'Requested Validity'.cyan}: #{req.days.to_s.bold} days"
-      puts
-      puts HighLine.color(req.to_pem, :bright_black)
+      say ""
+      say "#{'     Node Hostname'.cyan}: #{req.host}"
+      say "#{'  Certificate Type'.cyan}: #{req.type.bold}"
+      say "#{'    Certificate DN'.cyan}: #{req.subject.bold}"
+      say "#{'      Requested CA'.cyan}: #{req.ca.bold}"
+      say "#{'Requested Validity'.cyan}: #{req.days.to_s.bold} days"
+      say ""
+      say HighLine.color(req.to_pem, :bright_black)
 
       cert = nil
 
@@ -169,13 +169,13 @@ command :sign do |c|
       end
 
       if cert
-        puts "#{' Signed:'.cyan} SHA1 Fingerprint=#{cert.sha1_fingerprint}"
-        puts "#{'Subject:'.cyan} #{cert.subject}"
-        puts "#{' Issuer:'.cyan} #{cert.issuer}"
-        puts HighLine.color(cert.to_pem, :bright_black)
+        say "#{' Signed:'.cyan} SHA1 Fingerprint=#{cert.sha1_fingerprint}"
+        say "#{'Subject:'.cyan} #{cert.subject}"
+        say "#{' Issuer:'.cyan} #{cert.issuer}"
+        say HighLine.color(cert.to_pem, :bright_black)
 
         unless cert.subject == req.subject
-          puts "#{'WARNING:'.red.bold} #{'Issued certificate DN does not match request DN!'.bold}"
+          say "#{'WARNING:'.red.bold} #{'Issued certificate DN does not match request DN!'.bold}"
         end
 
         HighLine.new.choose do |menu|
@@ -185,9 +185,9 @@ command :sign do |c|
           menu.choice :yes do
             begin
               cert.save!
-              puts "Saved OK"
+              say "Saved OK"
             rescue ChefSSL::Client::CertSaveFailed => e
-              puts "Error saving: #{e.message}"
+              say "Error saving: #{e.message}"
             end
           end
           menu.choice :no do
@@ -220,17 +220,17 @@ command :autosign do |c|
 
     client = ChefSSL::Client.new
 
-    puts "#{'Search CA'.cyan}: #{options.ca_name}"
+    say "#{'Search CA'.cyan}: #{options.ca_name}"
 
     client.ca_search(options.ca_name) do |req|
-      puts
-      puts "#{'     Node Hostname'.cyan}: #{req.host}"
-      puts "#{'  Certificate Type'.cyan}: #{req.type.bold}"
-      puts "#{'    Certificate DN'.cyan}: #{req.subject.bold}"
-      puts "#{'      Requested CA'.cyan}: #{req.ca.bold}"
-      puts "#{'Requested Validity'.cyan}: #{req.days.to_s.bold} days"
-      puts
-      puts HighLine.color(req.to_pem, :bright_black)
+      say ""
+      say "#{'     Node Hostname'.cyan}: #{req.host}"
+      say "#{'  Certificate Type'.cyan}: #{req.type.bold}"
+      say "#{'    Certificate DN'.cyan}: #{req.subject.bold}"
+      say "#{'      Requested CA'.cyan}: #{req.ca.bold}"
+      say "#{'Requested Validity'.cyan}: #{req.days.to_s.bold} days"
+      say ""
+      say HighLine.color(req.to_pem, :bright_black)
 
       HighLine.new.choose do |menu|
         menu.layout = :one_line
@@ -238,14 +238,14 @@ command :autosign do |c|
 
         menu.choice :yes do
           cert = authority.sign(req)
-          puts
-          puts "#{'Signed:'.cyan} SHA1 Fingerprint=#{cert.sha1_fingerprint}"
-          puts HighLine.color(cert.to_pem, :bright_black)
+          say ""
+          say "#{'Signed:'.cyan} SHA1 Fingerprint=#{cert.sha1_fingerprint}"
+          say HighLine.color(cert.to_pem, :bright_black)
           begin
             cert.save!
-            puts "Saved OK"
+            say "Saved OK"
           rescue ChefSSL::Client::CertSaveFailed => e
-            puts "Error saving: #{e.message}"
+            say "Error saving: #{e.message}"
           end
         end
 
@@ -255,6 +255,6 @@ command :autosign do |c|
       end
     end
 
-    puts "All CSRs processed."
+    say "All CSRs processed."
   end
 end

data/lib/chef-ssl/command.rb~

@@ -0,0 +1,260 @@
+program :name, "chef-ssl"
+program :version, ChefSSL::Client::VERSION
+program :description, "Chef-automated SSL certificate signing tool"
+program :help_formatter, :compact
+
+default_command :help
+
+command :issue do |c|
+  c.syntax = "chef-ssl issue [options]"
+  c.description = "Issue an ad hoc certificate"
+  c.example "Issue cert for www.venda.com",
+            "chef-ssl issue --ca-path ./myCA --dn /CN=foo --type server"
+
+  c.option "--ca-path=STRING", String, "the path to the new CA"
+  c.option "--dn=STRING", String, "the distinguished name for the new certificate"
+  c.option "--type=STRING", String, "the type of certificate, client or server"
+
+  c.action do |args, options|
+    raise "CA path is required" unless options.ca_path
+    raise "DN is required" unless options.dn
+    raise "type is required" unless options.type
+
+    begin
+      dn = OpenSSL::X509::Name.parse(options.dn)
+    rescue NoMethodError
+      raise "--dn is required and must be a distinguished name"
+    rescue TypeError
+      raise "--dn is required and must be a distinguished name"
+    rescue OpenSSL::X509::NameError => e
+      raise "--dn must specify a valid DN: #{e.message}"
+    end
+
+    unless options.type == 'server' || options.type == 'client'
+      raise "type must be server or client"
+    end
+
+    authority = ChefSSL::Client.load_authority(
+      :password => ask("Enter CA passphrase:  ") { |q| q.echo = false },
+      :path => options.ca_path
+    )
+
+    key = EaSSL::Key.new
+
+    h = dn.to_a.reduce({}) { |h, elem| h[elem[0]] = elem[1]; h }
+    name = {
+      :city => h['L'],
+      :state => h['ST'],
+      :country => h['C'],
+      :department => h['OU'],
+      :common_name => h['CN'],
+      :organization => h['O'],
+      :email => h['emailAddress']
+    }
+
+    req = ChefSSL::Client::Request.create(key, options.type, name)
+    cert = authority.sign(req)
+
+    puts "#{'Key:'.cyan}"
+    puts HighLine.color(key.private_key.to_s, :bright_black)
+    puts
+    puts "#{'Certificate:'.cyan} SHA1 Fingerprint=#{cert.sha1_fingerprint}"
+    puts HighLine.color(cert.to_pem, :bright_black)
+  end
+end
+
+command :makeca do |c|
+  c.syntax = "chef-ssl makeca [options]"
+  c.description = "Creates a new CA"
+  c.example "Upload cert for CSR www.venda.com",
+            "chef-ssl makeca --dn '/CN=My New CA' --ca-path ./newCA"
+
+  c.option "--ca-path=STRING", String, "the path to the new CA"
+  c.option "--dn=STRING", String, "the distinguished name of the new CA"
+
+  c.action do |args, options|
+    begin
+      name = OpenSSL::X509::Name.parse(options.dn)
+    rescue NoMethodError
+      raise "--dn is required and must be a distinguished name"
+    rescue TypeError
+      raise "--dn is required and must be a distinguished name"
+    rescue OpenSSL::X509::NameError => e
+      raise "--dn must specify a valid DN: #{e.message}"
+    end
+
+    raise "CA path is required" unless options.ca_path
+    raise "CA path must not already exist" if Dir.glob(options.ca_path).length > 0
+
+    say "#{'New CA DN'.cyan}: #{name.to_s}"
+    say ""
+
+    passphrase = ask("Enter new CA passphrase:  ") { |q| q.echo = false }
+    passphrase2 = ask("Re-enter new CA passphrase:  ") { |q| q.echo = false }
+    raise "passphrases do not match" unless passphrase == passphrase2
+
+    say "\n#{'Creating new CA'.cyan}: "
+    ChefSSL::Client::SigningAuthority.create(name, options.ca_path, passphrase)
+    say "done"
+  end
+end
+
+command :search do |c|
+  c.syntax = "chef-ssl search [options]"
+  c.description = "Searches for outstanding CSRs"
+  c.example "Search for all CSRs awaiting signing by CA bob",
+            "chef-ssl search --ca-name bob"
+
+  c.option "--ca-name=STRING", String, "a name of a CA to limit the search by"
+
+  c.action do |args, options|
+    client = ChefSSL::Client.new
+
+    say "#{'Search CA'.cyan}: #{options.ca_name}" if options.ca_name
+
+    client.ca_search(options.ca_name) do |req|
+      puts
+      say "#{'     Node Hostname'.cyan}: #{req.host}"
+      say "#{'  Certificate Type'.cyan}: #{req.type.bold}"
+      say "#{'    Certificate DN'.cyan}: #{req.subject.bold}"
+      say "#{'      Requested CA'.cyan}: #{req.ca.bold}"
+      say "#{'Requested Validity'.cyan}: #{req.days.to_s.bold} days"
+      puts
+      say HighLine.color(req.to_pem, :bright_black)
+    end
+  end
+end
+
+command :sign do |c|
+  c.syntax = "chef-ssl sign [options]"
+  c.description = "Search for the given CSR by name and provide a signed certificate"
+  c.example "Provide signed cert for CSR www.venda.com",
+            "chef-ssl --name www.venda.com"
+
+  c.option "--name=STRING", String, "common name of the CSR to search for"
+
+  c.action do |args, options|
+
+    raise "--name is required" unless options.name
+
+    client = ChefSSL::Client.new
+
+    say "#{'Search name'.cyan}: #{options.name}"
+
+    client.common_name_search(options.name) do |req|
+      puts
+      say "#{'     Node Hostname'.cyan}: #{req.host}"
+      say "#{'  Certificate Type'.cyan}: #{req.type.bold}"
+      say "#{'    Certificate DN'.cyan}: #{req.subject.bold}"
+      say "#{'      Requested CA'.cyan}: #{req.ca.bold}"
+      say "#{'Requested Validity'.cyan}: #{req.days.to_s.bold} days"
+      puts
+      say HighLine.color(req.to_pem, :bright_black)
+
+      cert = nil
+
+      HighLine.new.choose do |menu|
+        menu.layout = :one_line
+        menu.prompt = "Sign this? "
+
+        menu.choice :yes do
+          cert_text = ask("Paste cert text") do |q|
+            q.gather = ""
+          end
+          cert = req.issue_certificate(cert_text.join("\n"))
+        end
+        menu.choice :no do
+          nil
+        end
+      end
+
+      if cert
+        say "#{' Signed:'.cyan} SHA1 Fingerprint=#{cert.sha1_fingerprint}"
+        say "#{'Subject:'.cyan} #{cert.subject}"
+        say "#{' Issuer:'.cyan} #{cert.issuer}"
+        say HighLine.color(cert.to_pem, :bright_black)
+
+        unless cert.subject == req.subject
+          say "#{'WARNING:'.red.bold} #{'Issued certificate DN does not match request DN!'.bold}"
+        end
+
+        HighLine.new.choose do |menu|
+          menu.layout = :one_line
+          menu.prompt = "Save certificate? "
+
+          menu.choice :yes do
+            begin
+              cert.save!
+              say "Saved OK"
+            rescue ChefSSL::Client::CertSaveFailed => e
+              say "Error saving: #{e.message}"
+            end
+          end
+          menu.choice :no do
+            nil
+          end
+        end
+      end
+    end
+  end
+end
+
+command :autosign do |c|
+  c.syntax = "chef-ssl autosign [options]"
+  c.description = "Search for CSRs and sign them with the given CA"
+  c.example "Sign with 'CA'",
+            "chef-ssl --ca-path CA --ca-name autoCA"
+
+  c.option "--ca-path=STRING", String, "the path to the signing CA"
+  c.option "--ca-name=STRING", String, "the name of the signing CA"
+
+  c.action do |args, options|
+
+    raise "--ca-path is required" unless options.ca_path
+    raise "--ca-name is required" unless options.ca_name
+
+    authority = ChefSSL::Client.load_authority(
+      :password => ask("Enter CA passphrase:  ") { |q| q.echo = false },
+      :path => options.ca_path
+    )
+
+    client = ChefSSL::Client.new
+
+    say "#{'Search CA'.cyan}: #{options.ca_name}"
+
+    client.ca_search(options.ca_name) do |req|
+      puts
+      say "#{'     Node Hostname'.cyan}: #{req.host}"
+      say "#{'  Certificate Type'.cyan}: #{req.type.bold}"
+      say "#{'    Certificate DN'.cyan}: #{req.subject.bold}"
+      say "#{'      Requested CA'.cyan}: #{req.ca.bold}"
+      say "#{'Requested Validity'.cyan}: #{req.days.to_s.bold} days"
+      puts
+      say HighLine.color(req.to_pem, :bright_black)
+
+      HighLine.new.choose do |menu|
+        menu.layout = :one_line
+        menu.prompt = "#{'Sign with'.cyan}: #{HighLine.color(authority.dn, :bold)}\nSign this? "
+
+        menu.choice :yes do
+          cert = authority.sign(req)
+          puts
+          say "#{'Signed:'.cyan} SHA1 Fingerprint=#{cert.sha1_fingerprint}"
+          say HighLine.color(cert.to_pem, :bright_black)
+          begin
+            cert.save!
+            say "Saved OK"
+          rescue ChefSSL::Client::CertSaveFailed => e
+            say "Error saving: #{e.message}"
+          end
+        end
+
+        menu.choice :no do
+          nil
+        end
+      end
+    end
+
+    say "All CSRs processed."
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: chef-ssl-client
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 1.0.4
   prerelease: 
 platform: ruby
 authors:
@@ -9,11 +9,11 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2012-07-23 00:00:00.000000000Z
+date: 2013-02-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: chef
-  requirement: &2161212560 !ruby/object:Gem::Requirement
+  requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -21,43 +21,63 @@ dependencies:
         version: 0.10.0
   type: :runtime
   prerelease: false
-  version_requirements: *2161212560
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 0.10.0
 - !ruby/object:Gem::Dependency
   name: spice
-  requirement: &2161211920 !ruby/object:Gem::Requirement
+  requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - ~>
+    - - '='
       - !ruby/object:Gem::Version
-        version: 1.0.3
+        version: 1.0.4
   type: :runtime
   prerelease: false
-  version_requirements: *2161211920
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 1.0.4
 - !ruby/object:Gem::Dependency
   name: eassl2
-  requirement: &2161211200 !ruby/object:Gem::Requirement
+  requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
-        version: 2.0.0
+        version: 2.0.1
   type: :runtime
   prerelease: false
-  version_requirements: *2161211200
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 2.0.1
 - !ruby/object:Gem::Dependency
   name: highline
-  requirement: &2161210300 !ruby/object:Gem::Requirement
+  requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - ~>
+    - - ! '>='
       - !ruby/object:Gem::Version
-        version: 1.6.0
+        version: 1.6.15
   type: :runtime
   prerelease: false
-  version_requirements: *2161210300
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 1.6.15
 - !ruby/object:Gem::Dependency
   name: commander
-  requirement: &2161209440 !ruby/object:Gem::Requirement
+  requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -65,10 +85,15 @@ dependencies:
         version: 4.1.0
   type: :runtime
   prerelease: false
-  version_requirements: *2161209440
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 4.1.0
 - !ruby/object:Gem::Dependency
   name: multi_json
-  requirement: &2161208680 !ruby/object:Gem::Requirement
+  requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -76,10 +101,15 @@ dependencies:
         version: 1.0.0
   type: :runtime
   prerelease: false
-  version_requirements: *2161208680
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 1.0.0
 - !ruby/object:Gem::Dependency
   name: activesupport
-  requirement: &2161207640 !ruby/object:Gem::Requirement
+  requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -87,10 +117,15 @@ dependencies:
         version: 3.1.0
   type: :runtime
   prerelease: false
-  version_requirements: *2161207640
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 3.1.0
 - !ruby/object:Gem::Dependency
   name: rspec
-  requirement: &2161206800 !ruby/object:Gem::Requirement
+  requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -98,10 +133,15 @@ dependencies:
         version: 2.10.0
   type: :development
   prerelease: false
-  version_requirements: *2161206800
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 2.10.0
 - !ruby/object:Gem::Dependency
   name: flexmock
-  requirement: &2161205980 !ruby/object:Gem::Requirement
+  requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -109,10 +149,15 @@ dependencies:
         version: 0.9.0
   type: :development
   prerelease: false
-  version_requirements: *2161205980
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.9.0
 - !ruby/object:Gem::Dependency
   name: simplecov
-  requirement: &2161205520 !ruby/object:Gem::Requirement
+  requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -120,10 +165,15 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *2161205520
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rake
-  requirement: &2161204960 !ruby/object:Gem::Requirement
+  requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -131,7 +181,12 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *2161204960
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
 description: A command-line client the ssl cookbook's signing requirements
 email: auto-ssl@venda.com
 executables:
@@ -145,10 +200,15 @@ files:
 - bin/chef-ssl
 - lib/chef-ssl/client/issued_certificate.rb
 - lib/chef-ssl/client/request.rb
+- lib/chef-ssl/client/request.rb~
 - lib/chef-ssl/client/signing_authority.rb
+- lib/chef-ssl/client/signing_authority.rb~
 - lib/chef-ssl/client/version.rb
+- lib/chef-ssl/client/version.rb~
 - lib/chef-ssl/client.rb
+- lib/chef-ssl/client.rb~
 - lib/chef-ssl/command.rb
+- lib/chef-ssl/command.rb~
 homepage: https://github.com/VendaTech/chef-cookbook-ssl
 licenses: []
 post_install_message: 
@@ -161,17 +221,22 @@ required_ruby_version: !ruby/object:Gem::Requirement
   - - ! '>='
     - !ruby/object:Gem::Version
       version: '0'
+      segments:
+      - 0
+      hash: -1808698484037623876
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements:
   - - ! '>='
     - !ruby/object:Gem::Version
       version: '0'
+      segments:
+      - 0
+      hash: -1808698484037623876
 requirements: []
 rubyforge_project: 
-rubygems_version: 1.8.6
+rubygems_version: 1.8.24
 signing_key: 
 specification_version: 3
 summary: A command-line client the ssl cookbook's signing requirements
 test_files: []
-has_rdoc: true