[SERVER-2552] The puppetserver ca import command should initialize a CRL for the intermediate CA - Puppet Jira Server

XML

Word

Printable

Details

Type: Improvement
Status: Resolved
Priority: Normal
Resolution: Done
Affects Version/s: None
Fix Version/s: SERVER 5.3.10, SERVER 6.3.2, SERVER 6.6.0
Component/s: Certificate Authority
Labels:
- resolved-issue-added

Epic Link:
Improve CA Import
Team:
Froyo

Release Notes:
Enhancement
Release Notes Summary:
The {{puppetserver ca import}} command will now initialize an empty CRL for the intermediate CA if one is not provided in the {{crl-chain}} file.

QA Risk Assessment:
Needs Assessment

Description

Setting Puppet Server up to operate an intermediate CA that is issued by an external CA requires supplying the puppetserver ca import command with a complete chain of certificates and certificate revocation lists for the intermediate CA and the external CA that signed it. The external CA can provide the certificates and some of the certificate revocation lists, but generating a revocation list for the intermediate CA operated by Puppet Server requires access to the private key used by Puppet Server. Most external CAs will be incapable of providing this revocation list as transporting the private key between nodes is against best practices.

Therefore, the puppetserver ca import command should initialize an empty CRL for Puppet's intermediate CA if it detects one has not been provided in the crl chain from the external root.

Attachments

Issue Links

relates to

SERVER-2465 Detect correct signing cert/crl by other means than order in respective files

Resolved

Activity

People

Assignee:: Unassigned

Reporter:: Charlie Sharpsteen

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 2019/05/24 3:05 PM

Updated:: 2019/09/12 11:17 AM

Resolved:: 2019/08/19 3:39 PM