Component/s: Puppet Language
Sprint:Killer Kakapo 1.19.15
The documentation on setting up an external CA makes the following statement:
Certificate revocation list (CRL) checking works in all three supported configurations, so long as the CRL file is distributed to the agents and masters using an “out of band” process. Puppet won’t automatically update the CRL on any of the components in the system.
This is not true for "Option 3: Two Intermediate CAs Issued by One Root CA" since a Puppet agent cannot support multiple CRLs, which is required in the event there is a certificate chain.
The documentation should be updated to state that CRLs on the agent are not supported for "Option 3: Two Intermediate CAs Issued by One Root CA."
Option 3 should include additional documentation to set "certificate_revocation = false" on all Puppet agents. The documentation for "certificate_revocation" states the following
Whether certificate revocation should be supported by downloading a Certificate Revocation List (CRL) to all clients. If enabled, CA chaining will almost definitely not work.
This should be included as a cross-reference or cited on the external CA page.