Details
-
Story
-
Status: Closed
-
Normal
-
Resolution: Won't Do
-
None
-
None
-
None
-
None
-
- Puppet Server uses an intermediate CA model all the time
- The CA setup CLI tool creates a root cert and an intermediate CA cert when asked to generate a PKI
-
Froyo
-
Needs Assessment
Description
When I am setting up my Puppet Server, I only want one certificate model to think about: a root CA (either my corporate root or autogenerated by Puppet) and an intermediate CA signed by that root that issues agent certs.
Currently, when Puppetserver starts for the first time, it generates a self-signed CA signing cert for itself, then uses that to create a certificate for the master. With the new CLI tool, we want to take this stuff out of server start-up and instead require users to run the tool prior to starting their server (if that gets annoying we could probably think about having the start-up run the logic from this tool implicitly). If no special arguments are provided to the tool, it will generate a self-signed root CA, then use that to create a signing cert for Puppet to use to sign all node certs. It will then create the cert for the Puppet master using this intermediate signing cert.
Attachments
Issue Links
- blocks
-
SERVER-2175 Remove CA bootstrapping code from puppetserver
-
- Closed
-
- is blocked by
-
-
- Closed
-
1.
|
Create `generate` subcommand for the CA CLI tool |
|
Closed | Amy Sahli |
2.
|
Update puppetserver clojure integration tests to handle lack of CA bootstrapping |
|
Closed | Unassigned |
3.
|
Update acceptance tests to use the CA CLI to generate puppetserver's CA |
|
Closed | Unassigned |
4.
|
Remove CA bootstrapping code from puppetserver |
|
Closed | Unassigned |