puppet 2.6.18 → 2.7.1

data/lib/puppet/ssl/base.rb

@@ -5,9 +5,6 @@ class Puppet::SSL::Base
   # For now, use the YAML separator.
   SEPARATOR = "\n---\n"
 
-  # Only allow printing ascii characters, excluding /
-  VALID_CERTNAME = /\A[ -.0-~]+\Z/
-
   def self.from_multiple_s(text)
     text.split(SEPARATOR).collect { |inst| from_s(inst) }
   end
@@ -25,10 +22,6 @@ class Puppet::SSL::Base
     @wrapped_class
   end
 
-  def self.validate_certname(name)
-    raise "Certname #{name.inspect} must not contain unprintable or non-ASCII characters" unless name =~ VALID_CERTNAME
-  end
-
   attr_accessor :name, :content
 
   # Is this file for the CA?
@@ -42,7 +35,6 @@ class Puppet::SSL::Base
 
   def initialize(name)
     @name = name.to_s.downcase
-    self.class.validate_certname(@name)
   end
 
   # Read content from disk appropriately.

data/lib/puppet/ssl/certificate.rb

@@ -27,12 +27,6 @@ class Puppet::SSL::Certificate < Puppet::SSL::Base
     [:s]
   end
 
-  def subject_alt_names
-    alts = content.extensions.find{|ext| ext.oid == "subjectAltName"}
-    return [] unless alts
-    alts.value.split(/\s*,\s*/)
-  end
-
   def expiration
     return nil unless content
     content.not_after

data/lib/puppet/ssl/certificate_authority.rb

@@ -11,15 +11,6 @@ require 'puppet/util/cacher'
 # it can also be seen as a general interface into all of the
 # SSL stuff.
 class Puppet::SSL::CertificateAuthority
-  # We will only sign extensions on this whitelist, ever.  Any CSR with a
-  # requested extension that we don't recognize is rejected, against the risk
-  # that it will introduce some security issue through our ignorance of it.
-  #
-  # Adding an extension to this whitelist simply means we will consider it
-  # further, not that we will always accept a certificate with an extension
-  # requested on this list.
-  RequestExtensionWhitelist = %w{subjectAltName}
-
   require 'puppet/ssl/certificate_factory'
   require 'puppet/ssl/inventory'
   require 'puppet/ssl/certificate_revocation_list'
@@ -34,14 +25,6 @@ class Puppet::SSL::CertificateAuthority
     end
   end
 
-  class CertificateSigningError < RuntimeError
-    attr_accessor :host
-
-    def initialize(host)
-      @host = host
-    end
-  end
-
   class << self
     include Puppet::Util::Cacher
 
@@ -69,6 +52,7 @@ class Puppet::SSL::CertificateAuthority
   def apply(method, options)
     raise ArgumentError, "You must specify the hosts to apply to; valid values are an array or the symbol :all" unless options[:to]
     applier = Interface.new(method, options)
+
     applier.apply(self)
   end
 
@@ -79,7 +63,7 @@ class Puppet::SSL::CertificateAuthority
     store = nil
     store = autosign_store(auto) if auto != true
 
-    Puppet::SSL::CertificateRequest.search("*").each do |csr|
+    Puppet::SSL::CertificateRequest.indirection.search("*").each do |csr|
       sign(csr.name) if auto == true or store.allowed?(csr.name, "127.1.1.1")
     end
   end
@@ -109,10 +93,10 @@ class Puppet::SSL::CertificateAuthority
   # Retrieve (or create, if necessary) the certificate revocation list.
   def crl
     unless defined?(@crl)
-      unless @crl = Puppet::SSL::CertificateRevocationList.find(Puppet::SSL::CA_NAME)
+      unless @crl = Puppet::SSL::CertificateRevocationList.indirection.find(Puppet::SSL::CA_NAME)
         @crl = Puppet::SSL::CertificateRevocationList.new(Puppet::SSL::CA_NAME)
         @crl.generate(host.certificate.content, host.key.content)
-        @crl.save
+        Puppet::SSL::CertificateRevocationList.indirection.save(@crl)
       end
     end
     @crl
@@ -124,15 +108,13 @@ class Puppet::SSL::CertificateAuthority
   end
 
   # Generate a new certificate.
-  def generate(name, options = {})
-    raise ArgumentError, "A Certificate already exists for #{name}" if Puppet::SSL::Certificate.find(name)
+  def generate(name)
+    raise ArgumentError, "A Certificate already exists for #{name}" if Puppet::SSL::Certificate.indirection.find(name)
+    host = Puppet::SSL::Host.new(name)
 
-    # Pass on any requested subjectAltName field.
-    san = options[:dns_alt_names]
+    host.generate_certificate_request
 
-    host = Puppet::SSL::Host.new(name)
-    host.generate_certificate_request(:dns_alt_names => san)
-    sign(name, !!san)
+    sign(name)
   end
 
   # Generate our CA certificate.
@@ -141,16 +123,14 @@ class Puppet::SSL::CertificateAuthority
 
     host.generate_key unless host.key
 
-    # Create a new cert request.  We do this specially, because we don't want
-    # to actually save the request anywhere.
+    # Create a new cert request.  We do this
+    # specially, because we don't want to actually
+    # save the request anywhere.
     request = Puppet::SSL::CertificateRequest.new(host.name)
-
-    # We deliberately do not put any subjectAltName in here: the CA
-    # certificate absolutely does not need them. --daniel 2011-10-13
     request.generate(host.key)
 
     # Create a self-signed certificate.
-    @certificate = sign(host.name, false, request)
+    @certificate = sign(host.name, :ca, request)
 
     # And make sure we initialize our CRL.
     crl
@@ -189,7 +169,7 @@ class Puppet::SSL::CertificateAuthority
 
   # List all signed certificates.
   def list
-    Puppet::SSL::Certificate.search("*").collect { |c| c.name }
+    Puppet::SSL::Certificate.indirection.search("*").collect { |c| c.name }
   end
 
   # Read the next serial from the serial file, and increment the
@@ -219,14 +199,14 @@ class Puppet::SSL::CertificateAuthority
 
   # Print a given host's certificate as text.
   def print(name)
-    (cert = Puppet::SSL::Certificate.find(name)) ? cert.to_text : nil
+    (cert = Puppet::SSL::Certificate.indirection.find(name)) ? cert.to_text : nil
   end
 
   # Revoke a given certificate.
   def revoke(name)
     raise ArgumentError, "Cannot revoke certificates when the CRL is disabled" unless crl
 
-    if cert = Puppet::SSL::Certificate.find(name)
+    if cert = Puppet::SSL::Certificate.indirection.find(name)
       serial = cert.content.serial
     elsif ! serial = inventory.serial(name)
       raise ArgumentError, "Could not find a serial number for #{name}"
@@ -243,34 +223,20 @@ class Puppet::SSL::CertificateAuthority
   end
 
   # Sign a given certificate request.
-  def sign(hostname, allow_dns_alt_names = false, self_signing_csr = nil)
+  def sign(hostname, cert_type = :server, self_signing_csr = nil)
     # This is a self-signed certificate
     if self_signing_csr
-      # # This is a self-signed certificate, which is for the CA.  Since this
-      # # forces the certificate to be self-signed, anyone who manages to trick
-      # # the system into going through this path gets a certificate they could
-      # # generate anyway.  There should be no security risk from that.
       csr = self_signing_csr
-      cert_type = :ca
       issuer = csr.content
     else
-      allow_dns_alt_names = true if hostname == Puppet[:certname].downcase
-      unless csr = Puppet::SSL::CertificateRequest.find(hostname)
+      unless csr = Puppet::SSL::CertificateRequest.indirection.find(hostname)
         raise ArgumentError, "Could not find certificate request for #{hostname}"
       end
-
-      cert_type = :server
       issuer = host.certificate.content
-
-      # Make sure that the CSR conforms to our internal signing policies.
-      # This will raise if the CSR doesn't conform, but just in case...
-      check_internal_signing_policies(hostname, csr, allow_dns_alt_names) or
-        raise CertificateSigningError.new(hostname), "CSR had an unknown failure checking internal signing policies, will not sign!"
     end
 
     cert = Puppet::SSL::Certificate.new(hostname)
-    cert.content = Puppet::SSL::CertificateFactory.
-      build(cert_type, csr, issuer, next_serial)
+    cert.content = Puppet::SSL::CertificateFactory.new(cert_type, csr.content, issuer, next_serial).result
     cert.content.sign(host.key.content, OpenSSL::Digest::SHA1.new)
 
     Puppet.notice "Signed certificate request for #{hostname}"
@@ -282,68 +248,17 @@ class Puppet::SSL::CertificateAuthority
 
     # Save the now-signed cert.  This should get routed correctly depending
     # on the certificate type.
-    cert.save
+    Puppet::SSL::Certificate.indirection.save(cert)
 
     # And remove the CSR if this wasn't self signed.
-    Puppet::SSL::CertificateRequest.destroy(csr.name) unless self_signing_csr
+    Puppet::SSL::CertificateRequest.indirection.destroy(csr.name) unless self_signing_csr
 
     cert
   end
 
-  def check_internal_signing_policies(hostname, csr, allow_dns_alt_names)
-    # Reject unknown request extensions.
-    unknown_req = csr.request_extensions.
-      reject {|x| RequestExtensionWhitelist.include? x["oid"] }
-
-    if unknown_req and not unknown_req.empty?
-      names = unknown_req.map {|x| x["oid"] }.sort.uniq.join(", ")
-      raise CertificateSigningError.new(hostname), "CSR has request extensions that are not permitted: #{names}"
-    end
-
-    # Do not sign misleading CSRs
-    cn = csr.content.subject.to_a.assoc("CN")[1]
-    if hostname != cn
-      raise CertificateSigningError.new(hostname), "CSR subject common name #{cn.inspect} does not match expected certname #{hostname.inspect}"
-    end
-
-    if hostname !~ Puppet::SSL::Base::VALID_CERTNAME
-      raise CertificateSigningError.new(hostname), "CSR #{hostname.inspect} subject contains unprintable or non-ASCII characters"
-    end
-
-    # Wildcards: we don't allow 'em at any point.
-    #
-    # The stringification here makes the content visible, and saves us having
-    # to scrobble through the content of the CSR subject field to make sure it
-    # is what we expect where we expect it.
-    if csr.content.subject.to_s.include? '*'
-      raise CertificateSigningError.new(hostname), "CSR subject contains a wildcard, which is not allowed: #{csr.content.subject.to_s}"
-    end
-
-    unless csr.subject_alt_names.empty?
-      # If you alt names are allowed, they are required. Otherwise they are
-      # disallowed. Self-signed certs are implicitly trusted, however.
-      unless allow_dns_alt_names
-        raise CertificateSigningError.new(hostname), "CSR '#{csr.name}' contains subject alternative names (#{csr.subject_alt_names.join(', ')}), which are disallowed. Use `puppet cert --allow-dns-alt-names sign #{csr.name}` to sign this request."
-      end
-
-      # If subjectAltNames are present, validate that they are only for DNS
-      # labels, not any other kind.
-      unless csr.subject_alt_names.all? {|x| x =~ /^DNS:/ }
-        raise CertificateSigningError.new(hostname), "CSR '#{csr.name}' contains a subjectAltName outside the DNS label space: #{csr.subject_alt_names.join(', ')}.  To continue, this CSR needs to be cleaned."
-      end
-
-      # Check for wildcards in the subjectAltName fields too.
-      if csr.subject_alt_names.any? {|x| x.include? '*' }
-        raise CertificateSigningError.new(hostname), "CSR '#{csr.name}' subjectAltName contains a wildcard, which is not allowed: #{csr.subject_alt_names.join(', ')}  To continue, this CSR needs to be cleaned."
-      end
-    end
-
-    return true                 # good enough for us!
-  end
-
   # Verify a given host's certificate.
   def verify(name)
-    unless cert = Puppet::SSL::Certificate.find(name)
+    unless cert = Puppet::SSL::Certificate.indirection.find(name)
       raise ArgumentError, "Could not find a certificate for #{name}"
     end
     store = OpenSSL::X509::Store.new
@@ -356,7 +271,7 @@ class Puppet::SSL::CertificateAuthority
   end
 
   def fingerprint(name, md = :MD5)
-    unless cert = Puppet::SSL::Certificate.find(name) || Puppet::SSL::CertificateRequest.find(name)
+    unless cert = Puppet::SSL::Certificate.indirection.find(name) || Puppet::SSL::CertificateRequest.indirection.find(name)
       raise ArgumentError, "Could not find a certificate or csr for #{name}"
     end
     cert.fingerprint(md)
@@ -364,6 +279,6 @@ class Puppet::SSL::CertificateAuthority
 
   # List the waiting certificate requests.
   def waiting?
-    Puppet::SSL::CertificateRequest.search("*").collect { |r| r.name }
+    Puppet::SSL::CertificateRequest.indirection.search("*").collect { |r| r.name }
   end
 end

data/lib/puppet/ssl/certificate_authority/interface.rb

@@ -9,7 +9,7 @@ module Puppet
 
         class InterfaceError < ArgumentError; end
 
-        attr_reader :method, :subjects, :digest, :options
+        attr_reader :method, :subjects, :digest
 
         # Actually perform the work.
         def apply(ca)
@@ -35,96 +35,49 @@ module Puppet
           raise InterfaceError, "It makes no sense to generate all hosts; you must specify a list" if subjects == :all
 
           subjects.each do |host|
-            ca.generate(host, options)
+            ca.generate(host)
           end
         end
 
         def initialize(method, options)
           self.method = method
-          self.subjects = options.delete(:to)
-          @digest = options.delete(:digest) || :MD5
-          @options = options
+          self.subjects = options[:to]
+          @digest = options[:digest] || :MD5
         end
 
         # List the hosts.
         def list(ca)
+          unless subjects
+            puts ca.waiting?.join("\n")
+            return nil
+          end
+
           signed = ca.list
           requests = ca.waiting?
 
-          case subjects
-          when :all
+          if subjects == :all
             hosts = [signed, requests].flatten
-          when :signed
+          elsif subjects == :signed
             hosts = signed.flatten
-          when nil
-            hosts = requests
           else
             hosts = subjects
           end
 
-          certs = {:signed => {}, :invalid => {}, :request => {}}
-
-          return if hosts.empty?
-
           hosts.uniq.sort.each do |host|
+            invalid = false
             begin
               ca.verify(host) unless requests.include?(host)
             rescue Puppet::SSL::CertificateAuthority::CertificateVerificationError => details
-              verify_error = details.to_s
+              invalid = details.to_s
             end
-
-            if verify_error
-              cert = Puppet::SSL::Certificate.indirection.find(host)
-              certs[:invalid][host] = [cert, verify_error]
-            elsif signed.include?(host)
-              cert = Puppet::SSL::Certificate.indirection.find(host)
-              certs[:signed][host] = cert
+            if not invalid and signed.include?(host)
+              puts "+ #{host} (#{ca.fingerprint(host, @digest)})"
+            elsif invalid
+              puts "- #{host} (#{ca.fingerprint(host, @digest)}) (#{invalid})"
             else
-              req = Puppet::SSL::CertificateRequest.indirection.find(host)
-              certs[:request][host] = req
+              puts "#{host} (#{ca.fingerprint(host, @digest)})"
             end
           end
-
-          names = certs.values.map(&:keys).flatten
-
-          name_width = names.sort_by(&:length).last.length rescue 0
-          # We quote these names, so account for those characters
-          name_width += 2
-
-          output = [:request, :signed, :invalid].map do |type|
-            next if certs[type].empty?
-
-            certs[type].map do |host,info|
-              format_host(ca, host, type, info, name_width)
-            end
-          end.flatten.compact.sort.join("\n")
-
-          puts output
-        end
-
-        def format_host(ca, host, type, info, width)
-          certish, verify_error = info
-          alt_names = case type
-                      when :signed
-                        certish.subject_alt_names
-                      when :request
-                        certish.subject_alt_names
-                      else
-                        []
-                      end
-
-          alt_names.delete(host)
-
-          alt_str = "(alt names: #{alt_names.map(&:inspect).join(', ')})" unless alt_names.empty?
-
-          glyph = {:signed => '+', :request => ' ', :invalid => '-'}[type]
-
-          name = host.inspect.ljust(width)
-          fingerprint = "(#{ca.fingerprint(host, @digest)})"
-
-          explanation = "(#{verify_error})" if verify_error
-
-          [glyph, name, fingerprint, alt_str, explanation].compact.join(' ')
         end
 
         # Set the method to apply.
@@ -160,7 +113,7 @@ module Puppet
           list = subjects == :all ? ca.waiting? : subjects
           raise InterfaceError, "No waiting certificate requests to sign" if list.empty?
           list.each do |host|
-            ca.sign(host, options[:allow_dns_alt_names])
+            ca.sign(host)
           end
         end
 

data/lib/puppet/ssl/certificate_factory.rb

@@ -2,7 +2,7 @@ require 'puppet/ssl'
 
 # The tedious class that does all the manipulations to the
 # certificate to correctly sign it.  Yay.
-module Puppet::SSL::CertificateFactory
+class Puppet::SSL::CertificateFactory
   # How we convert from various units to the required seconds.
   UNITMAP = {
     "y" => 365 * 24 * 60 * 60,
@@ -11,84 +11,75 @@ module Puppet::SSL::CertificateFactory
     "s" => 1
   }
 
-  def self.build(cert_type, csr, issuer, serial)
-    # Work out if we can even build the requested type of certificate.
-    build_extensions = "build_#{cert_type.to_s}_extensions"
-    respond_to?(build_extensions) or
-      raise ArgumentError, "#{cert_type.to_s} is an invalid certificate type!"
+  attr_reader :name, :cert_type, :csr, :issuer, :serial
 
-    # set up the certificate, and start building the content.
-    cert = OpenSSL::X509::Certificate.new
+  def initialize(cert_type, csr, issuer, serial)
+    @cert_type, @csr, @issuer, @serial = cert_type, csr, issuer, serial
 
-    cert.version    = 2 # X509v3
-    cert.subject    = csr.content.subject
-    cert.issuer     = issuer.subject
-    cert.public_key = csr.content.public_key
-    cert.serial     = serial
+    @name = @csr.subject
+  end
+
+  # Actually generate our certificate.
+  def result
+    @cert = OpenSSL::X509::Certificate.new
 
-    # Make the certificate valid as of yesterday, because so many people's
-    # clocks are out of sync.  This gives one more day of validity than people
-    # might expect, but is better than making every person who has a messed up
-    # clock fail, and better than having every cert we generate expire a day
-    # before the user expected it to when they asked for "one year".
-    cert.not_before = Time.now - (60*60*24)
-    cert.not_after  = Time.now + ttl
+    @cert.version = 2 # X509v3
+    @cert.subject = @csr.subject
+    @cert.issuer = @issuer.subject
+    @cert.public_key = @csr.public_key
+    @cert.serial = @serial
 
-    add_extensions_to(cert, csr, issuer, send(build_extensions))
+    build_extensions
 
-    return cert
+    set_ttl
+
+    @cert
   end
 
   private
 
-  def self.add_extensions_to(cert, csr, issuer, extensions)
-    ef = OpenSSL::X509::ExtensionFactory.
-      new(cert, issuer.is_a?(OpenSSL::X509::Request) ? cert : issuer)
+  # This is pretty ugly, but I'm not really sure it's even possible to do
+  # it any other way.
+  def build_extensions
+    @ef = OpenSSL::X509::ExtensionFactory.new
+
+    @ef.subject_certificate = @cert
 
-    # Extract the requested extensions from the CSR.
-    requested_exts = csr.request_extensions.inject({}) do |hash, re|
-      hash[re["oid"]] = [re["value"], re["critical"]]
-      hash
+    if @issuer.is_a?(OpenSSL::X509::Request) # It's a self-signed cert
+      @ef.issuer_certificate = @cert
+    else
+      @ef.issuer_certificate = @issuer
     end
 
-    # Produce our final set of extensions.  We deliberately order these to
-    # build the way we want:
-    # 1. "safe" default values, like the comment, that no one cares about.
-    # 2. request extensions, from the CSR
-    # 3. extensions based on the type we are generating
-    # 4. overrides, which we always want to have in their form
-    #
-    # This ordering *is* security-critical, but we want to allow the user
-    # enough rope to shoot themselves in the foot, if they want to ignore our
-    # advice and externally approve a CSR that sets the basicConstraints.
-    #
-    # Swapping the order of 2 and 3 would ensure that you couldn't slip a
-    # certificate through where the CA constraint was true, though, if
-    # something went wrong up there. --daniel 2011-10-11
-    defaults = { "nsComment" => "Puppet Ruby/OpenSSL Internal Certificate" }
-    override = { "subjectKeyIdentifier" => "hash" }
-
-    exts = [defaults, requested_exts, extensions, override].
-      inject({}) {|ret, val| ret.merge(val) }
-
-    cert.extensions = exts.map do |oid, val|
-      val, crit = *val
-      val       = val.join(', ') unless val.is_a? String
-
-      # Enforce the X509v3 rules about subjectAltName being critical:
-      # specifically, it SHOULD NOT be critical if we have a subject, which we
-      # always do. --daniel 2011-10-18
-      crit = false if oid == "subjectAltName"
-
-      # val can be either a string, or [string, critical], and this does the
-      # right thing regardless of what we get passed.
-      ef.create_ext(oid, val, crit)
+    @subject_alt_name = []
+    @key_usage = nil
+    @ext_key_usage = nil
+    @extensions = []
+
+    method = "add_#{@cert_type.to_s}_extensions"
+
+    begin
+      send(method)
+    rescue NoMethodError
+      raise ArgumentError, "#{@cert_type} is an invalid certificate type"
     end
+
+    @extensions << @ef.create_extension("nsComment", "Puppet Ruby/OpenSSL Generated Certificate")
+    @extensions << @ef.create_extension("basicConstraints", @basic_constraint, true)
+    @extensions << @ef.create_extension("subjectKeyIdentifier", "hash")
+    @extensions << @ef.create_extension("keyUsage", @key_usage.join(",")) if @key_usage
+    @extensions << @ef.create_extension("extendedKeyUsage", @ext_key_usage.join(",")) if @ext_key_usage
+    @extensions << @ef.create_extension("subjectAltName", @subject_alt_name.join(",")) if ! @subject_alt_name.empty?
+
+    @cert.extensions = @extensions
+
+    # for some reason this _must_ be the last extension added
+    @extensions << @ef.create_extension("authorityKeyIdentifier", "keyid:always,issuer:always") if @cert_type == :ca
   end
 
   # TTL for new certificates in seconds. If config param :ca_ttl is set,
   # use that, otherwise use :ca_days for backwards compatibility
-  def self.ttl
+  def ttl
     ttl = Puppet.settings[:ca_ttl]
 
     return ttl unless ttl.is_a?(String)
@@ -98,69 +89,57 @@ module Puppet::SSL::CertificateFactory
     $1.to_i * UNITMAP[$2]
   end
 
+  def set_ttl
+    # Make the certificate valid as of yesterday, because
+    # so many people's clocks are out of sync.
+    from = Time.now - (60*60*24)
+    @cert.not_before = from
+    @cert.not_after = from + ttl
+  end
+
   # Woot! We're a CA.
-  def self.build_ca_extensions
-    {
-      # This was accidentally omitted in the previous version of this code: an
-      # effort was made to add it last, but that actually managed to avoid
-      # adding it to the certificate at all.
-      #
-      # We have some sort of bug, which means that when we add it we get a
-      # complaint that the issuer keyid can't be fetched, which breaks all
-      # sorts of things in our test suite and, e.g., bootstrapping the CA.
-      #
-      # http://tools.ietf.org/html/rfc5280#section-4.2.1.1 says that, to be a
-      # conforming CA we MAY omit the field if we are self-signed, which I
-      # think gives us a pass in the specific case.
-      #
-      # It also notes that we MAY derive the ID from the subject and serial
-      # number of the issuer, or from the key ID, and we definitely have the
-      # former data, should we want to restore this...
-      #
-      # Anyway, preserving this bug means we don't risk breaking anything in
-      # the field, even though it would be nice to have. --daniel 2011-10-11
-      #
-      # "authorityKeyIdentifier" => "keyid:always,issuer:always",
-      "keyUsage"               => [%w{cRLSign keyCertSign}, true],
-      "basicConstraints"       => ["CA:TRUE", true],
-    }
+  def add_ca_extensions
+    @basic_constraint = "CA:TRUE"
+    @key_usage = %w{cRLSign keyCertSign}
   end
 
   # We're a terminal CA, probably not self-signed.
-  def self.build_terminalsubca_extensions
-    {
-      "keyUsage"         => [%w{cRLSign keyCertSign}, true],
-      "basicConstraints" => ["CA:TRUE,pathlen:0", true],
-    }
+  def add_terminalsubca_extensions
+    @basic_constraint = "CA:TRUE,pathlen:0"
+    @key_usage = %w{cRLSign keyCertSign}
   end
 
   # We're a normal server.
-  def self.build_server_extensions
-    {
-      "keyUsage"         => [%w{digitalSignature keyEncipherment}, true],
-      "extendedKeyUsage" => [%w{serverAuth clientAuth}, true],
-      "basicConstraints" => ["CA:FALSE", true],
-    }
+  def add_server_extensions
+    @basic_constraint = "CA:FALSE"
+    dnsnames = Puppet[:certdnsnames]
+    name = @name.to_s.sub(%r{/CN=},'')
+    if dnsnames != ""
+      dnsnames.split(':').each { |d| @subject_alt_name << 'DNS:' + d }
+      @subject_alt_name << 'DNS:' + name # Add the fqdn as an alias
+    elsif name == Facter.value(:fqdn) # we're a CA server, and thus probably the server
+      @subject_alt_name << 'DNS:' + "puppet" # Add 'puppet' as an alias
+      @subject_alt_name << 'DNS:' + name # Add the fqdn as an alias
+      @subject_alt_name << 'DNS:' + name.sub(/^[^.]+./, "puppet.") # add puppet.domain as an alias
+    end
+    @key_usage = %w{digitalSignature keyEncipherment}
+    @ext_key_usage = %w{serverAuth clientAuth emailProtection}
   end
 
   # Um, no idea.
-  def self.build_ocsp_extensions
-    {
-      "keyUsage"         => [%w{nonRepudiation digitalSignature}, true],
-      "extendedKeyUsage" => [%w{serverAuth OCSPSigning}, true],
-      "basicConstraints" => ["CA:FALSE", true],
-    }
+  def add_ocsp_extensions
+    @basic_constraint = "CA:FALSE"
+    @key_usage = %w{nonRepudiation digitalSignature}
+    @ext_key_usage = %w{serverAuth OCSPSigning}
   end
 
   # Normal client.
-  def self.build_client_extensions
-    {
-      "keyUsage"         => [%w{nonRepudiation digitalSignature keyEncipherment}, true],
-      # We don't seem to use this, but that seems much more reasonable here...
-      "extendedKeyUsage" => [%w{clientAuth emailProtection}, true],
-      "basicConstraints" => ["CA:FALSE", true],
-      "nsCertType"       => "client,email",
-    }
+  def add_client_extensions
+    @basic_constraint = "CA:FALSE"
+    @key_usage = %w{nonRepudiation digitalSignature keyEncipherment}
+    @ext_key_usage = %w{clientAuth emailProtection}
+
+    @extensions << @ef.create_extension("nsCertType", "client,email")
   end
 end