Uploaded image for project: 'Puppet Server'
  1. Puppet Server
  2. SERVER-2322

Backport advanced cert signing settings to Server 5

    XMLWordPrintable

Details

    • Improvement
    • Status: Closed
    • Normal
    • Resolution: Fixed
    • SERVER 5.3.5
    • SERVER 5.3.6
    • None
    • None
    • Hide

      Puppet Server 5 has

      • an allow-subject-alt-names setting
      • an allow-authorization-extensions setting
      Show
      Puppet Server 5 has an allow-subject-alt-names setting an allow-authorization-extensions setting
    • Froyo
    • New Feature
    • Hide
      We have added two settings to Puppet Server's CA configuration: `allow-subject-alt-names` and `allow-autorization-extensions`. These are false by default. When set to true, they allow CSR with subject alt names or special auth extensions to be signed by the puppetserver CA API. These flags are needed to sign such certs via `puppetserver ca sign` command, which replaces `puppet cert` in Puppet 6, because the new command signs certs via the CA API.
      Show
      We have added two settings to Puppet Server's CA configuration: `allow-subject-alt-names` and `allow-autorization-extensions`. These are false by default. When set to true, they allow CSR with subject alt names or special auth extensions to be signed by the puppetserver CA API. These flags are needed to sign such certs via `puppetserver ca sign` command, which replaces `puppet cert` in Puppet 6, because the new command signs certs via the CA API.
    • Needs Assessment

    Description

      We are including the puppetserver CA CLI gem in Server 5 builds so people can migrate away from the deprecated puppet cert. However, the puppetserver cert signing code doesn't currently support signing certs with SANs or auth extensions in Server 5. In Server 6 we introduced two settings, allow-subject-alt-names and allow-authorization-extensions to the certificate-authority section of the server config. We should backport these settings to Server 5 to fully enable signing certs with the new CA CLI. Both should be false by default.

      Attachments

        Activity

          People

            maggie Maggie Dreyer
            maggie Maggie Dreyer
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Zendesk Support