chef 14.15.6 → 18.1.0

data/lib/chef/resource/openssl_ec_public_key.rb

@@ -1,5 +1,5 @@
 #
-# Copyright:: Copyright 2018, Chef Software Inc.
+# Copyright:: Copyright (c) Chef Software Inc.
 # Author:: Julien Huon
 # License:: Apache License, Version 2.0
 #
@@ -16,46 +16,63 @@
 # limitations under the License.
 #
 
-require "chef/resource"
+require_relative "../resource"
 
 class Chef
   class Resource
     class OpensslEcPublicKey < Chef::Resource
-      require "chef/mixin/openssl_helper"
+      require_relative "../mixin/openssl_helper"
       include Chef::Mixin::OpenSSLHelper
 
-      preview_resource true
-      resource_name :openssl_ec_public_key
+      provides :openssl_ec_public_key
 
-      description "Use the openssl_ec_public_key resource to generate elliptic curve (EC) public key files from a given EC private key."
+      description "Use the **openssl_ec_public_key** resource to generate elliptic curve (EC) public key files from a given EC private key."
       introduced "14.4"
+      examples <<~DOC
+        **Generate new EC public key from a private key on disk**
+
+        ```ruby
+        openssl_ec_public_key '/etc/ssl_files/eckey_prime256v1_des3.pub' do
+          private_key_path '/etc/ssl_files/eckey_prime256v1_des3.pem'
+          private_key_pass 'something'
+          action :create
+        end
+        ```
+
+        **Generate new EC public key by passing in a private key**
+
+        ```ruby
+        openssl_ec_public_key '/etc/ssl_files/eckey_prime256v1_des3_2.pub' do
+          private_key_content "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEII2VAU9re44mAUzYPWCg+qqwdmP8CplsEg0b/DYPXLg2oAoGCCqGSM49\nAwEHoUQDQgAEKkpMCbIQ2C6Qlp/B+Odp1a9Y06Sm8yqPvCVIkWYP7M8PX5+RmoIv\njGBVf/+mVBx77ji3NpTilMUt2KPZ87lZ3w==\n-----END EC PRIVATE KEY-----\n"
+          action :create
+        end
+        ```
+      DOC
 
       property :path, String,
-               description: "An optional property for specifying the path to write the file to if it differs from the resource block's name.",
-               name_property: true
+        description: "An optional property for specifying the path to write the file to if it differs from the resource block's name.",
+        name_property: true
 
       property :private_key_path, String,
-               description: "The path to the private key file."
+        description: "The path to the private key file."
 
       property :private_key_content, String,
-               description: "The content of the private key including new lines. This property is used in place of private_key_path in instances where you want to avoid having to first write the private key to disk"
+        description: "The content of the private key including new lines. This property is used in place of private_key_path in instances where you want to avoid having to first write the private key to disk"
 
       property :private_key_pass, String,
-               description: "The passphrase of the provided private key."
+        description: "The passphrase of the provided private key."
 
-      property :owner, String,
-               description: "The owner applied to all files created by the resource."
+      property :owner, [String, Integer],
+        description: "The owner applied to all files created by the resource."
 
-      property :group, String,
-               description: "The group ownership applied to all files created by the resource."
+      property :group, [String, Integer],
+        description: "The group ownership applied to all files created by the resource."
 
       property :mode, [Integer, String],
-               description: "The permission mode applied to all files created by the resource.",
-               default: "0640"
-
-      action :create do
-        description "Generate the ec public key from a private key"
+        description: "The permission mode applied to all files created by the resource.",
+        default: "0640"
 
+      action :create, description: "Generate the EC public key file from a private key." do
         raise ArgumentError, "You cannot specify both 'private_key_path' and 'private_key_content' properties at the same time." if new_resource.private_key_path && new_resource.private_key_content
         raise ArgumentError, "You must specify the private key with either 'private_key_path' or 'private_key_content' properties." unless new_resource.private_key_path || new_resource.private_key_content
         raise "#{new_resource.private_key_path} not a valid private EC key or password is invalid" unless priv_key_file_valid?((new_resource.private_key_path || new_resource.private_key_content), new_resource.private_key_pass)

data/lib/chef/resource/openssl_rsa_private_key.rb

@@ -1,5 +1,5 @@
 #
-# Copyright:: Copyright 2009-2018, Chef Software Inc.
+# Copyright:: Copyright (c) Chef Software Inc.
 # License:: Apache License, Version 2.0
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -15,57 +15,77 @@
 # limitations under the License.
 #
 
-require "chef/resource"
+require_relative "../resource"
 
 class Chef
   class Resource
     class OpensslRsaPrivateKey < Chef::Resource
-      require "chef/mixin/openssl_helper"
+      require_relative "../mixin/openssl_helper"
       include Chef::Mixin::OpenSSLHelper
 
-      resource_name :openssl_rsa_private_key
       provides(:openssl_rsa_private_key) { true }
       provides(:openssl_rsa_key) { true } # legacy cookbook resource name
 
-      description "Use the openssl_rsa_private_key resource to generate RSA private key files. If a valid RSA key file can be opened at the specified location, no new file will be created. If the RSA key file cannot be opened, either because it does not exist or because the password to the RSA key file does not match the password in the recipe, it will be overwritten."
+      description "Use the **openssl_rsa_private_key** resource to generate RSA private key files. If a valid RSA key file can be opened at the specified location, no new file will be created. If the RSA key file cannot be opened, either because it does not exist or because the password to the RSA key file does not match the password in the recipe, it will be overwritten."
       introduced "14.0"
+      examples <<~DOC
+        Generate new 2048bit key with the default des3 cipher
+
+        ```ruby
+        openssl_rsa_private_key '/etc/ssl_files/rsakey_des3.pem' do
+          key_length 2048
+          action :create
+        end
+        ```
+
+        Generate new 1024bit key with the aes-128-cbc cipher
+
+        ```ruby
+        openssl_rsa_private_key '/etc/ssl_files/rsakey_aes128cbc.pem' do
+          key_length 1024
+          key_cipher 'aes-128-cbc'
+          action :create
+        end
+        ```
+      DOC
 
       property :path, String,
-               description: "An optional property for specifying the path to write the file to if it differs from the resource block's name.",
-               name_property: true
+        description: "An optional property for specifying the path to write the file to if it differs from the resource block's name.",
+        name_property: true
 
       property :key_length, Integer,
-               equal_to: [1024, 2048, 4096, 8192],
-               validation_message: "key_length (bits) must be 1024, 2048, 4096, or 8192!",
-               description: "The desired bit length of the generated key.",
-               default: 2048
+        equal_to: [1024, 2048, 4096, 8192],
+        validation_message: "key_length (bits) must be 1024, 2048, 4096, or 8192!",
+        description: "The desired bit length of the generated key.",
+        default: 2048
 
       property :key_pass, String,
-               description: "The desired passphrase for the key."
+        description: "The desired passphrase for the key."
 
       property :key_cipher, String,
-               equal_to: OpenSSL::Cipher.ciphers,
-               validation_message: "key_cipher must be a cipher known to openssl. Run `openssl list-cipher-algorithms` to see available options.",
-               description: "The designed cipher to use when generating your key. Run `openssl list-cipher-algorithms` to see available options.",
-               default: "des3"
+        description: "The designed cipher to use when generating your key. Run `openssl list-cipher-algorithms` to see available options.",
+        default: lazy { "des3" },
+        default_description: "des3",
+        callbacks: {
+          "key_cipher must be a cipher known to openssl. Run `openssl list-cipher-algorithms` to see available options." =>
+            proc { |v| OpenSSL::Cipher.ciphers.include?(v) },
+        }
 
-      property :owner, String,
-               description: "The owner applied to all files created by the resource."
+      property :owner, [String, Integer],
+        description: "The owner applied to all files created by the resource."
 
-      property :group, String,
-               description: "The group ownership applied to all files created by the resource."
+      property :group, [String, Integer],
+        description: "The group ownership applied to all files created by the resource."
 
       property :mode, [Integer, String],
-               description: "The permission mode applied to all files created by the resource.",
-               default: "0600"
+        description: "The permission mode applied to all files created by the resource.",
+        default: "0600"
 
       property :force, [TrueClass, FalseClass],
-               description: "Force creation of the key even if the same key already exists on the node.",
-               default: false, desired_state: false
-
-      action :create do
-        description "Create the RSA private key."
+        description: "Force creation of the key even if the same key already exists on the node.",
+        default: false, desired_state: false
 
+      action :create, description: "Create the RSA private key file." do
         return if new_resource.force || priv_key_file_valid?(new_resource.path, new_resource.key_pass)
 
         converge_by("create #{new_resource.key_length} bit RSA key #{new_resource.path}") do

data/lib/chef/resource/openssl_rsa_public_key.rb

@@ -1,5 +1,5 @@
 #
-# Copyright:: Copyright 2009-2018, Chef Software Inc.
+# Copyright:: Copyright (c) Chef Software Inc.
 # License:: Apache License, Version 2.0
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -15,46 +15,65 @@
 # limitations under the License.
 #
 
-require "chef/resource"
+require_relative "../resource"
 
 class Chef
   class Resource
     class OpensslRsaPublicKey < Chef::Resource
-      require "chef/mixin/openssl_helper"
+      require_relative "../mixin/openssl_helper"
       include Chef::Mixin::OpenSSLHelper
 
-      resource_name :openssl_rsa_public_key
       provides(:openssl_rsa_public_key) { true }
 
-      description "Use the openssl_rsa_public_key resource to generate RSA public key files for a given RSA private key."
+      examples <<~DOC
+        Generate new public key from a private key on disk
+
+        ```ruby
+        openssl_rsa_public_key '/etc/ssl_files/rsakey_des3.pub' do
+          private_key_path '/etc/ssl_files/rsakey_des3.pem'
+          private_key_pass 'something'
+          action :create
+        end
+        ```
+
+        Generate new public key by passing in a private key
+
+        ```ruby
+        openssl_rsa_public_key '/etc/ssl_files/rsakey_2.pub' do
+          private_key_pass 'something'
+          private_key_content "-----BEGIN RSA PRIVATE KEY-----\nProc-Type: 4,ENCRYPTED\nDEK-Info: DES-EDE3-CBC,5EE0AE9A5FE3342E\n\nyb930kj5/4/nd738dPx6XdbDrMCvqkldaz0rHNw8xsWvwARrl/QSPwROG3WY7ROl\nEUttVlLaeVaqRPfQbmTUfzGI8kTMmDWKjw52gJUx2YJTYRgMHAB0dzYIRjeZAaeS\nypXnEfouVav+jKTmmehr1WuVKbzRhQDBSalzeUwsPi2+fb3Bfuo1dRW6xt8yFuc4\nAkv1hCglymPzPHE2L0nSGjcgA2DZu+/S8/wZ4E63442NHPzO4VlLvpNvJrYpEWq9\nB5mJzcdXPeOTjqd13olNTlOZMaKxu9QShu50GreCTVsl8VRkK8NtwbWuPGBZlIFa\njzlS/RaLuzNzfajaKMkcIYco9t7gN2DwnsACHKqEYT8248Ii3NQ+9/M5YcmpywQj\nWGr0UFCSAdCky1lRjwT+zGQKohr+dVR1GaLem+rSZH94df4YBxDYw4rjsKoEhvXB\nv2Vlx+G7Vl2NFiZzxUKh3MvQLr/NDElpG1pYWDiE0DIG13UqEG++cS870mcEyfFh\nSF2SXYHLWyAhDK0viRDChJyFMduC4E7a2P9DJhL3ZvM0KZ1SLMwROc1XuZ704GwO\nYUqtCX5OOIsTti1Z74jQm9uWFikhgWByhVtu6sYL1YTqtiPJDMFhA560zp/k/qLO\nFKiM4eUWV8AI8AVwT6A4o45N2Ru8S48NQyvh/ADFNrgJbVSeDoYE23+DYKpzbaW9\n00BD/EmUQqaQMc670vmI+CIdcdE7L1zqD6MZN7wtPaRIjx4FJBGsFoeDShr+LoTD\nrwbadwrbc2Rf4DWlvFwLJ4pvNvdtY3wtBu79UCOol0+t8DVVSPVASsh+tp8XncDE\nKRljj88WwBjX7/YlRWvQpe5y2UrsHI0pNy8TA1Xkf6GPr6aS2TvQD5gOrAVReSse\n/kktCzZQotjmY1odvo90Zi6A9NCzkI4ZLgAuhiKDPhxZg61IeLppnfFw0v3H4331\nV9SMYgr1Ftov0++x7q9hFPIHwZp6NHHOhdHNI80XkHqtY/hEvsh7MhFMYCgSY1pa\nK/gMcZ/5Wdg9LwOK6nYRmtPtg6fuqj+jB3Rue5/p9dt4kfom4etCSeJPdvP1Mx2I\neNmyQ/7JN9N87FsfZsIj5OK9OB0fPdj0N0m1mlHM/mFt5UM5x39u13QkCt7skEF+\nyOptXcL629/xwm8eg4EXnKFk330WcYSw+sYmAQ9ZTsBxpCMkz0K4PBTPWWXx63XS\nc4J0r88kbCkMCNv41of8ceeGzFrC74dG7i3IUqZzMzRP8cFeps8auhweUHD2hULs\nXwwtII0YQ6/Fw4hgGQ5//0ASdvAicvH0l1jOQScHzXC2QWNg3GttueB/kmhMeGGm\nsHOJ1rXQ4oEckFvBHOvzjP3kuRHSWFYDx35RjWLAwLCG9odQUApHjLBgFNg9yOR0\njW9a2SGxRvBAfdjTa9ZBBrbjlaF57hq7mXws90P88RpAL+xxCAZUElqeW2Rb2rQ6\nCbz4/AtPekV1CYVodGkPutOsew2zjNqlNH+M8XzfonA60UAH20TEqAgLKwgfgr+a\nc+rXp1AupBxat4EHYJiwXBB9XcVwyp5Z+/dXsYmLXzoMOnp8OFyQ9H8R7y9Y0PEu\n-----END RSA PRIVATE KEY-----\n"
+          action :create
+        end
+        ```
+      DOC
+
+      description "Use the **openssl_rsa_public_key** resource to generate RSA public key files for a given RSA private key."
       introduced "14.0"
 
       property :path, String,
-               description: "An optional property for specifying the path to the public key if it differs from the resource block's name.",
-               name_property: true
+        description: "An optional property for specifying the path to the public key if it differs from the resource block's name.",
+        name_property: true
 
       property :private_key_path, String,
-               description: "The path to the private key file."
+        description: "The path to the private key file."
 
       property :private_key_content, String,
-               description: "The content of the private key, including new lines. This property is used in place of private_key_path in instances where you want to avoid having to first write the private key to disk."
+        description: "The content of the private key, including new lines. This property is used in place of private_key_path in instances where you want to avoid having to first write the private key to disk."
 
       property :private_key_pass, String,
-               description: "The passphrase of the provided private key."
+        description: "The passphrase of the provided private key."
 
-      property :owner, String,
-               description: "The owner applied to all files created by the resource."
+      property :owner, [String, Integer],
+        description: "The owner applied to all files created by the resource."
 
-      property :group, String,
-               description: "The group ownership applied to all files created by the resource."
+      property :group, [String, Integer],
+        description: "The group ownership applied to all files created by the resource."
 
       property :mode, [Integer, String],
-               description: "The permission mode applied to all files created by the resource.",
-               default: "0640"
-
-      action :create do
-        description "Create the RSA public key."
+        description: "The permission mode applied to all files created by the resource.",
+        default: "0640"
 
+      action :create, description: "Create the RSA public key file." do
         raise ArgumentError, "You cannot specify both 'private_key_path' and 'private_key_content' properties at the same time." if new_resource.private_key_path && new_resource.private_key_content
         raise ArgumentError, "You must specify the private key with either 'private_key_path' or 'private_key_content' properties." unless new_resource.private_key_path || new_resource.private_key_content
         raise "#{new_resource.private_key_path} not a valid private RSA key or password is invalid" unless priv_key_file_valid?((new_resource.private_key_path || new_resource.private_key_content), new_resource.private_key_pass)

data/lib/chef/resource/openssl_x509_certificate.rb

@@ -1,7 +1,7 @@
 #
 # License:: Apache License, Version 2.0
 # Author:: Julien Huon
-# Copyright:: Copyright 2018, Chef Software Inc.
+# Copyright:: Copyright (c) Chef Software Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -16,177 +16,219 @@
 # limitations under the License.
 #
 
-require "chef/resource"
+require_relative "../resource"
 
 class Chef
   class Resource
     class OpensslX509Certificate < Chef::Resource
-      require "chef/mixin/openssl_helper"
+      require_relative "../mixin/openssl_helper"
       include Chef::Mixin::OpenSSLHelper
 
-      preview_resource true
-      resource_name :openssl_x509_certificate
+      provides :openssl_x509_certificate
       provides(:openssl_x509) { true } # legacy cookbook name.
 
-      description "Use the openssl_x509_certificate resource to generate signed or self-signed, PEM-formatted x509 certificates. If no existing key is specified, the resource will automatically generate a passwordless key with the certificate. If a CA private key and certificate are provided, the certificate will be signed with them. Note: This resource was renamed from openssl_x509 to openssl_x509_certificate. The legacy name will continue to function, but cookbook code should be updated for the new resource name."
+      description "Use the **openssl_x509_certificate** resource to generate signed or self-signed, PEM-formatted x509 certificates. If no existing key is specified, the resource will automatically generate a passwordless key with the certificate. If a CA private key and certificate are provided, the certificate will be signed with them. Note: This resource was renamed from openssl_x509 to openssl_x509_certificate. The legacy name will continue to function, but cookbook code should be updated for the new resource name."
       introduced "14.4"
+      examples <<~DOC
+        Create a simple self-signed certificate file
+
+        ```ruby
+        openssl_x509_certificate '/etc/httpd/ssl/mycert.pem' do
+          common_name 'www.f00bar.com'
+          org 'Foo Bar'
+          org_unit 'Lab'
+          country 'US'
+        end
+        ```
+
+        Create a certificate using additional options
+
+        ```ruby
+        openssl_x509_certificate '/etc/ssl_files/my_signed_cert.crt' do
+          common_name 'www.f00bar.com'
+          ca_key_file '/etc/ssl_files/my_ca.key'
+          ca_cert_file '/etc/ssl_files/my_ca.crt'
+          expire 365
+          extensions(
+            'keyUsage' => {
+              'values' => %w(
+                keyEncipherment
+                digitalSignature),
+              'critical' => true,
+            },
+            'extendedKeyUsage' => {
+              'values' => %w(serverAuth),
+              'critical' => false,
+            }
+          )
+          subject_alt_name ['IP:127.0.0.1', 'DNS:localhost.localdomain']
+        end
+        ```
+      DOC
 
       property :path, String,
-               description: "An optional property for specifying the path to write the file to if it differs from the resource block's name.",
-               name_property: true
+        description: "An optional property for specifying the path to write the file to if it differs from the resource block's name.",
+        name_property: true
 
-      property :owner, String,
-               description: "The owner applied to all files created by the resource."
+      property :owner, [String, Integer],
+        description: "The owner applied to all files created by the resource."
 
-      property :group, String,
-               description: "The group ownership applied to all files created by the resource."
+      property :group, [String, Integer],
+        description: "The group ownership applied to all files created by the resource."
 
       property :expire, Integer,
-               description: "Value representing the number of days from now through which the issued certificate cert will remain valid. The certificate will expire after this period.",
-               default: 365
+        description: "Value representing the number of days from now through which the issued certificate cert will remain valid. The certificate will expire after this period.",
+        default: 365
 
       property :mode, [Integer, String],
-               description: "The permission mode applied to all files created by the resource."
+        description: "The permission mode applied to all files created by the resource."
 
       property :country, String,
-               description: "Value for the C certificate field."
+        description: "Value for the `C` certificate field."
 
       property :state, String,
-               description: "Value for the ST certificate field."
+        description: "Value for the `ST` certificate field."
 
       property :city, String,
-               description: "Value for the L certificate field."
+        description: "Value for the `L` certificate field."
 
       property :org, String,
-               description: "Value for the O certificate field."
+        description: "Value for the `O` certificate field."
 
       property :org_unit, String,
-               description: "Value for the OU certificate field."
+        description: "Value for the `OU` certificate field."
 
       property :common_name, String,
-               description: "Value for the CN certificate field."
+        description: "Value for the `CN` certificate field."
 
       property :email, String,
-               description: "Value for the email certificate field."
+        description: "Value for the `email` certificate field."
 
       property :extensions, Hash,
-               description: "Hash of X509 Extensions entries, in format { 'keyUsage' => { 'values' => %w( keyEncipherment digitalSignature), 'critical' => true } }.",
-               default: lazy { Hash.new }
+        description: "Hash of X509 Extensions entries, in format `{ 'keyUsage' => { 'values' => %w( keyEncipherment digitalSignature), 'critical' => true } }`.",
+        default: {}
 
       property :subject_alt_name, Array,
-               description: "Array of Subject Alternative Name entries, in format DNS:example.com or IP:1.2.3.4.",
-               default: lazy { [] }
+        description: "Array of Subject Alternative Name entries, in format `DNS:example.com` or `IP:1.2.3.4`.",
+        default: []
 
       property :key_file, String,
-               description: "The path to a certificate key file on the filesystem. If the key_file property is specified, the resource will attempt to source a key from this location. If no key file is found, the resource will generate a new key file at this location. If the key_file property is not specified, the resource will generate a key file in the same directory as the generated certificate, with the same name as the generated certificate."
+        description: "The path to a certificate key file on the filesystem. If the key_file property is specified, the resource will attempt to source a key from this location. If no key file is found, the resource will generate a new key file at this location. If the key_file property is not specified, the resource will generate a key file in the same directory as the generated certificate, with the same name as the generated certificate."
 
       property :key_pass, String,
-               description: "The passphrase for an existing key's passphrase."
+        description: "The passphrase for an existing key's passphrase."
 
       property :key_type, String,
-               equal_to: %w{rsa ec},
-               description: "The desired type of the generated key (rsa or ec).",
-               default: "rsa"
+        equal_to: %w{rsa ec},
+        description: "The desired type of the generated key.",
+        default: "rsa"
 
       property :key_length, Integer,
-               equal_to: [1024, 2048, 4096, 8192],
-               description: "The desired bit length of the generated key (if key_type is equal to 'rsa').",
-               default: 2048
+        equal_to: [1024, 2048, 4096, 8192],
+        description: "The desired bit length of the generated key (if key_type is equal to 'rsa').",
+        default: 2048
 
       property :key_curve, String,
-               description: "The desired curve of the generated key (if key_type is equal to 'ec'). Run openssl ecparam -list_curves to see available options.",
-               equal_to: %w{secp384r1 secp521r1 prime256v1},
-               default: "prime256v1"
+        description: "The desired curve of the generated key (if key_type is equal to 'ec'). Run `openssl ecparam -list_curves` to see available options.",
+        equal_to: %w{secp384r1 secp521r1 prime256v1},
+        default: "prime256v1"
 
       property :csr_file, String,
-               description: "The path to a X509 Certificate Request (CSR) on the filesystem. If the csr_file property is specified, the resource will attempt to source a CSR from this location. If no CSR file is found, the resource will generate a Self-Signed Certificate and the certificate fields must be specified (common_name at last)."
+        description: "The path to a X509 Certificate Request (CSR) on the filesystem. If the `csr_file` property is specified, the resource will attempt to source a CSR from this location. If no CSR file is found, the resource will generate a Self-Signed Certificate and the certificate fields must be specified (common_name at last)."
 
       property :ca_cert_file, String,
-               description: "The path to the CA X509 Certificate on the filesystem. If the ca_cert_file property is specified, the ca_key_file property must also be specified, the certificate will be signed with them."
+        description: "The path to the CA X509 Certificate on the filesystem. If the `ca_cert_file` property is specified, the `ca_key_file` property must also be specified, the certificate will be signed with them."
 
       property :ca_key_file, String,
-               description: "The path to the CA private key on the filesystem. If the ca_key_file property is specified, the 'ca_cert_file' property must also be specified, the certificate will be signed with them."
+        description: "The path to the CA private key on the filesystem. If the `ca_key_file` property is specified, the `ca_cert_file` property must also be specified, the certificate will be signed with them."
 
       property :ca_key_pass, String,
-               description: "The passphrase for CA private key's passphrase."
-
-      action :create do
-        description "Generate a certificate"
-
-        unless ::File.exist? new_resource.path
-          converge_by("Create #{@new_resource}") do
-            file new_resource.path do
-              action :create_if_missing
-              owner new_resource.owner unless new_resource.owner.nil?
-              group new_resource.group unless new_resource.group.nil?
-              mode new_resource.mode unless new_resource.mode.nil?
-              sensitive true
-              content cert.to_pem
-            end
+        description: "The passphrase for CA private key's passphrase."
+
+      property :renew_before_expiry, Integer,
+        description: "The number of days before the expiry. The certificate will be automatically renewed when the value is reached.",
+        introduced: "15.7"
+
+      action :create, description: "Generate a certificate file." do
+        file new_resource.path do
+          action :create_if_missing
+          owner new_resource.owner unless new_resource.owner.nil?
+          group new_resource.group unless new_resource.group.nil?
+          mode new_resource.mode unless new_resource.mode.nil?
+          content cert.to_pem
+        end
 
-            if new_resource.csr_file.nil?
-              file new_resource.key_file do
-                action :create_if_missing
-                owner new_resource.owner unless new_resource.owner.nil?
-                group new_resource.group unless new_resource.group.nil?
-                mode new_resource.mode unless new_resource.mode.nil?
-                sensitive true
-                content key.to_pem
-              end
-            end
+        if !new_resource.renew_before_expiry.nil? && cert_need_renewal?(new_resource.path, new_resource.renew_before_expiry)
+          file new_resource.path do
+            action :create
+            owner new_resource.owner unless new_resource.owner.nil?
+            group new_resource.group unless new_resource.group.nil?
+            mode new_resource.mode unless new_resource.mode.nil?
+            sensitive true
+            content cert.to_pem
+          end
+        end
+
+        if new_resource.csr_file.nil?
+          file key_file do
+            action :create_if_missing
+            owner new_resource.owner unless new_resource.owner.nil?
+            group new_resource.group unless new_resource.group.nil?
+            mode new_resource.mode unless new_resource.mode.nil?
+            sensitive true
+            content key.to_pem
           end
         end
       end
 
       action_class do
-        def generate_key_file
-          unless new_resource.key_file
-            path, file = ::File.split(new_resource.path)
-            filename = ::File.basename(file, ::File.extname(file))
-            new_resource.key_file path + "/" + filename + ".key"
-          end
-          new_resource.key_file
+        def key_file
+          @key_file ||=
+            if new_resource.key_file
+              new_resource.key_file
+            else
+              path, file = ::File.split(new_resource.path)
+              filename = ::File.basename(file, ::File.extname(file))
+              path + "/" + filename + ".key"
+            end
         end
 
         def key
-          @key ||= if priv_key_file_valid?(generate_key_file, new_resource.key_pass)
-                     OpenSSL::PKey.read ::File.read(generate_key_file), new_resource.key_pass
+          @key ||= if priv_key_file_valid?(key_file, new_resource.key_pass)
+                     OpenSSL::PKey.read ::File.read(key_file), new_resource.key_pass
                    elsif new_resource.key_type == "rsa"
                      gen_rsa_priv_key(new_resource.key_length)
                    else
                      gen_ec_priv_key(new_resource.key_curve)
                    end
-          @key
         end
 
         def request
-          request = if new_resource.csr_file.nil?
-                      gen_x509_request(subject, key)
-                    else
-                      OpenSSL::X509::Request.new ::File.read(new_resource.csr_file)
-                    end
-          request
+          if new_resource.csr_file.nil?
+            gen_x509_request(subject, key)
+          else
+            OpenSSL::X509::Request.new ::File.read(new_resource.csr_file)
+          end
         end
 
         def subject
-          subject = OpenSSL::X509::Name.new()
-          subject.add_entry("C", new_resource.country) unless new_resource.country.nil?
-          subject.add_entry("ST", new_resource.state) unless new_resource.state.nil?
-          subject.add_entry("L", new_resource.city) unless new_resource.city.nil?
-          subject.add_entry("O", new_resource.org) unless new_resource.org.nil?
-          subject.add_entry("OU", new_resource.org_unit) unless new_resource.org_unit.nil?
-          subject.add_entry("CN", new_resource.common_name)
-          subject.add_entry("emailAddress", new_resource.email) unless new_resource.email.nil?
-          subject
+          OpenSSL::X509::Name.new.tap do |csr_subject|
+            csr_subject.add_entry("C", new_resource.country) unless new_resource.country.nil?
+            csr_subject.add_entry("ST", new_resource.state) unless new_resource.state.nil?
+            csr_subject.add_entry("L", new_resource.city) unless new_resource.city.nil?
+            csr_subject.add_entry("O", new_resource.org) unless new_resource.org.nil?
+            csr_subject.add_entry("OU", new_resource.org_unit) unless new_resource.org_unit.nil?
+            csr_subject.add_entry("CN", new_resource.common_name)
+            csr_subject.add_entry("emailAddress", new_resource.email) unless new_resource.email.nil?
+          end
         end
 
         def ca_private_key
-          ca_private_key = if new_resource.csr_file.nil?
-                             key
-                           else
-                             OpenSSL::PKey.read ::File.read(new_resource.ca_key_file), new_resource.ca_key_pass
-                           end
-          ca_private_key
+          if new_resource.ca_key_file.nil?
+            key
+          else
+            OpenSSL::PKey.read ::File.read(new_resource.ca_key_file), new_resource.ca_key_pass
+          end
         end
 
         def ca_info
@@ -212,8 +254,7 @@ class Chef
         end
 
         def cert
-          cert = gen_x509_cert(request, extensions, ca_info, ca_private_key)
-          cert
+          gen_x509_cert(request, extensions, ca_info, ca_private_key)
         end
       end
     end