Uploaded image for project: 'Puppet Server'
  1. Puppet Server
  2. SERVER-2551

The Puppetser Server status endpoint should include CA and CRL expiration dates

    XMLWordPrintable

    Details

    • Template:
    • Team:
      Froyo
    • Release Notes:
      New Feature
    • Release Notes Summary:
      Hide
      Added a new endpoint `/puppet-ca/v1/expirations` that returns the "not-after" date for each certificate in the CA bundle, as well as the "next-update" date of each CRL in the chain, keyed by common name. The endpoint requires authentication.
      Show
      Added a new endpoint `/puppet-ca/v1/expirations` that returns the "not-after" date for each certificate in the CA bundle, as well as the "next-update" date of each CRL in the chain, keyed by common name. The endpoint requires authentication.
    • QA Risk Assessment:
      Needs Assessment

      Description

      When running the Puppet CA as a subordinate of an external root, the revocation lists and certificates that make up the external CA chain must be kept up to date. Most external CAs operate with a short interval between CRL updates. For example, Active Directory Certificate Services defaults to publishing new CRLs on a one-week cadence. If an externally published CRL expires or CA certificate expires, then certificate validation within the Puppet infrastructure will fail.

      In order to alert operators to the impending expiration of a CA certificate or CRL entry, the Puppet Server status API should include these dates in its output. Then consumers of the API can flag certs visibly to administrators. If there is demand, we can add a separate flag to warn users in the API output itself.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              maggie Maggie Dreyer
              Reporter:
              chuck Charlie Sharpsteen
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Zendesk Support