Uploaded image for project: 'Puppet Server'
  1. Puppet Server
  2. SERVER-2176

The CA that signs agent requests should be an intermediate CA by default



    • Story
    • Status: Closed
    • Normal
    • Resolution: Won't Do
    • None
    • None
    • None
    • None
      • Puppet Server uses an intermediate CA model all the time
      • The CA setup CLI tool creates a root cert and an intermediate CA cert when asked to generate a PKI
    • Froyo
    • Needs Assessment


      When I am setting up my Puppet Server, I only want one certificate model to think about: a root CA (either my corporate root or autogenerated by Puppet) and an intermediate CA signed by that root that issues agent certs.

      Currently, when Puppetserver starts for the first time, it generates a self-signed CA signing cert for itself, then uses that to create a certificate for the master. With the new CLI tool, we want to take this stuff out of server start-up and instead require users to run the tool prior to starting their server (if that gets annoying we could probably think about having the start-up run the logic from this tool implicitly). If no special arguments are provided to the tool, it will generate a self-signed root CA, then use that to create a signing cert for Puppet to use to sign all node certs. It will then create the cert for the Puppet master using this intermediate signing cert.


        Issue Links



              Unassigned Unassigned
              maggie Maggie Dreyer
              0 Vote for this issue
              5 Start watching this issue



                Zendesk Support