227: def sign(csr)
228: unless csr.is_a?(OpenSSL::X509::Request)
229: raise Puppet::Error,
230: "CA#sign only accepts OpenSSL::X509::Request objects, not #{csr.class}"
231: end
232:
233: raise Puppet::Error, "CSR sign verification failed" unless csr.verify(csr.public_key)
234:
235: serial = nil
236: Puppet.settings.readwritelock(:serial) { |f|
237: serial = File.read(@config[:serial]).chomp.hex
238:
239: f << "%04X" % (serial + 1)
240: }
241:
242: newcert = Puppet::SSLCertificates.mkcert(
243: :type => :server,
244: :name => csr.subject,
245: :ttl => ttl,
246: :issuer => @cert,
247: :serial => serial,
248: :publickey => csr.public_key
249: )
250:
251: sign_with_key(newcert)
252:
253: self.storeclientcert(newcert)
254:
255: [newcert, @cert]
256: end