I'm doing the same thing as you.
In fact, your post is what I used to create my own policy. I couldn't find
any other examples anywhere, so thank you!
I'm using ruby instead of sh as my executable:
#!/bin/ruby
exit(1) if ARGV.size == 0
host= ARGV[0]
custom_attr = `openssl req -noout
So After re-reading the docs
http://docs.puppetlabs.com/puppet/latest/reference/ssl_autosign.html#policy-executable-api
I've made the following modification which works.
#!/bin/bash
HOST=$1
CUSTOM_ATTR=$(openssl req -noout -text -in
"/var/lib/puppet/ssl/ca/requests/$HOST.pem" | grep "challen
