Merge pull request #12092 from chef/mp/chef-12091

Check for ca_key_file before loading ca key

3 files changed, 8 insertions, 1 deletions

diff --git a/cspell.json b/cspell.json
index 4c974d6a80..66c26b91d6 100644
--- a/cspell.json
+++ b/cspell.json
@@ -27,6 +27,7 @@
     "ADMINI",
     "adminonly",
     "advapi",
+    "Afile",
     "Afonov",
     "agrs",
     "airgapped",
diff --git a/kitchen-tests/test/integration/end-to-end/_openssl.rb b/kitchen-tests/test/integration/end-to-end/_openssl.rb
new file mode 100644
index 0000000000..c68889f3bb
--- /dev/null
+++ b/kitchen-tests/test/integration/end-to-end/_openssl.rb
@@ -0,0 +1,6 @@
+# Reference recipes/_openssl.rb test to 'generate and sign a certificate with the CA'
+# This ensures that the generated certificate is valid.
+describe command("/opt/chef/embedded/bin/openssl verify -CAfile /etc/ssl_test/my_ca.crt /etc/ssl_test/my_signed_cert.crt") do
+  its("stdout") { should match /my_signed_cert.*OK/ }
+  its("stderr") { should be_empty }
+end
diff --git a/lib/chef/resource/openssl_x509_certificate.rb b/lib/chef/resource/openssl_x509_certificate.rb
index a6e0eb97f2..8d5ca2b9fa 100644
--- a/lib/chef/resource/openssl_x509_certificate.rb
+++ b/lib/chef/resource/openssl_x509_certificate.rb
@@ -226,7 +226,7 @@ class Chef
         end
 
         def ca_private_key
-          if new_resource.csr_file.nil?
+          if new_resource.ca_key_file.nil?
             key
           else
             OpenSSL::PKey.read ::File.read(new_resource.ca_key_file), new_resource.ca_key_pass