Uploaded image for project: 'Puppet Server'
  1. Puppet Server
  2. SERVER-2320

Add a CA CLI command for generating a master cert offline

          Details

          • Type: New Feature
          • Status: Closed
          • Priority: Blocker
          • Resolution: Fixed
          • Affects Version/s: None
          • Fix Version/s: SERVER 6.0.1
          • Component/s: None
          • Labels:
          • Template:
          • Acceptance Criteria:
            • puppetserver ca has a way to generate the master cert standalone, offline
          • Epic Link:
          • Team:
            Server
          • Release Notes:
            New Feature
          • Release Notes Summary:
            Hide
            The `puppetserver ca generate` command now has a flag `--ca-client` that will generate a cert offline (not via the CA API) that is authorized to talk to that API. This can be used to regenerate the master's host cert, or create certs for distribution to other CA nodes that need administrative access to the CA (e.g. the ability to sign and revoke certs). This command should only be used while the Puppet Server is offline, to avoid conflicts with cert serials.
            Show
            The `puppetserver ca generate` command now has a flag `--ca-client` that will generate a cert offline (not via the CA API) that is authorized to talk to that API. This can be used to regenerate the master's host cert, or create certs for distribution to other CA nodes that need administrative access to the CA (e.g. the ability to sign and revoke certs). This command should only be used while the Puppet Server is offline, to avoid conflicts with cert serials.
          • QA Risk Assessment:
            Needs Assessment

            Description

            Currently, the CA CLI can only generate the master cert as part of generating the whole CA. It can generate other certificates for other certnames by using the CA API, but this won't work if the master cert isn't present. We should have a special command for just generating the master cert, when the CA is already set up but before the server is running. This might be good as a flag to the generate action, or as its own action.

            Implemented as a --ca-client flag: `puppetserver ca generate --certname foo --ca-client`

              Attachments

                Issue Links

                relates to

                Improvement - An improvement or enhancement to an existing feature or task. SERVER-2334 Make CA CLI check that server is offline before generating offline certs

                • Normal - Regular issue, some loss of functionality under specific circumstances.
                • Resolved
                mentioned in

                Page Loading...

                  Activity

                    jsd-sla-details-panel

                      People

                      • Assignee:
                        maggie Maggie Dreyer
                        Reporter:
                        maggie Maggie Dreyer
                      • Votes:
                        0 Vote for this issue
                        Watchers:
                        7 Start watching this issue

                        Dates

                        • Created:
                          Updated:
                          Resolved: