Details
-
New Feature
-
Status: Accepted
-
Normal
-
Resolution: Unresolved
-
None
-
None
-
None
-
Coremunity
-
Needs Assessment
Description
The $trusted hash should contain additional certificate attributes. At a minimum 'not_after' and 'not_before' but others such as 'serial' and 'signature_algorithm' might also be useful.
Possible use cases for 'not_before' and 'not_after':
Examine the 'not_before' date and generate warnings or failures during catalog compilation if required trusted certificate extensions are not present. This allows adding checks for hard extension requirements while allowing backwards compatibility / support for certificates issued prior to a certain time.
Examine the 'not_after' date and generate warnings to the user during a Puppet run about an impending client certificate expiration.
The times should be stored in something easily machine-consumable or convertable (such as integer values in Unix time).
