Uploaded image for project: 'Puppet Server'
  1. Puppet Server
  2. SERVER-2176

The CA that signs agent requests should be an intermediate CA by default

    XMLWordPrintable

Details

    • Story
    • Status: Closed
    • Normal
    • Resolution: Won't Do
    • None
    • None
    • None
    • None
      • Puppet Server uses an intermediate CA model all the time
      • The CA setup CLI tool creates a root cert and an intermediate CA cert when asked to generate a PKI
    • Froyo
    • Needs Assessment

    Description

      When I am setting up my Puppet Server, I only want one certificate model to think about: a root CA (either my corporate root or autogenerated by Puppet) and an intermediate CA signed by that root that issues agent certs.

      Currently, when Puppetserver starts for the first time, it generates a self-signed CA signing cert for itself, then uses that to create a certificate for the master. With the new CLI tool, we want to take this stuff out of server start-up and instead require users to run the tool prior to starting their server (if that gets annoying we could probably think about having the start-up run the logic from this tool implicitly). If no special arguments are provided to the tool, it will generate a self-signed root CA, then use that to create a signing cert for Puppet to use to sign all node certs. It will then create the cert for the Puppet master using this intermediate signing cert.

      Attachments

        Issue Links

          There are no Sub-Tasks for this issue.

          Activity

            People

              Unassigned Unassigned
              maggie Maggie Dreyer
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Zendesk Support