Uploaded image for project: 'Puppet Server'
  1. Puppet Server
  2. SERVER-2552

The puppetserver ca import command should initialize a CRL for the intermediate CA

    Details

    • Release Notes:
      Enhancement
    • Release Notes Summary:
      The {{puppetserver ca import}} command will now initialize an empty CRL for the intermediate CA if one is not provided in the {{crl-chain}} file.
    • QA Risk Assessment:
      Needs Assessment

      Description

      Setting Puppet Server up to operate an intermediate CA that is issued by an external CA requires supplying the puppetserver ca import command with a complete chain of certificates and certificate revocation lists for the intermediate CA and the external CA that signed it. The external CA can provide the certificates and some of the certificate revocation lists, but generating a revocation list for the intermediate CA operated by Puppet Server requires access to the private key used by Puppet Server. Most external CAs will be incapable of providing this revocation list as transporting the private key between nodes is against best practices.

      Therefore, the puppetserver ca import command should initialize an empty CRL for Puppet's intermediate CA if it detects one has not been provided in the crl chain from the external root.

        Attachments

          Issue Links

            Activity

              jsd-sla-details-panel

                People

                • Assignee:
                  Unassigned
                  Reporter:
                  chuck Charlie Sharpsteen
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  1 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: