set umask on generated pkcs12 file so the mode ends up as '0600'

Puppet-Finland · Jan 15, 2014 · 639d62e · 639d62e
1 parent c208f6e
commit 639d62e
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/manifests/add_cert_and_key.pp b/manifests/add_cert_and_key.pp
@@ -34,13 +34,14 @@
   $pkcs12_name = downcase(regsubst("${nickname}.p12", '[\s]', '_', 'GM'))
 
   exec {"generate_pkcs12_${title}":
+    umask     => '7077',
     command   => "/usr/bin/openssl pkcs12 -export -in ${cert} -inkey ${key} -password 'file:${certdir}/password.conf' -out '${certdir}/${pkcs12_name}' -name '${nickname}'",
+    creates   => "${certdir}/${pkcs12_name}",
+    subscribe => File["${certdir}/password.conf"],
     require   => [
       Nssdb::Create[$certdir],
       Class['nssdb'],
     ],
-    creates   => "${certdir}/${pkcs12_name}",
-    subscribe => File["${certdir}/password.conf"],
   }
 
   exec { "add_pkcs12_${title}":