Issue #7929 has been updated by Nigel Kersten. Status changed from Needs Decision to Rejected
The confusion here is around the fact that what is now `puppet cert` was once `puppetca`, and thus we were confusing certificate operations with CA operations. This functionality is a certificate operation. Given that the majority of certificates for most people are obtained by *signing* a certificate request, where the private key isn't actually available to the CA, but the signed certificate is generated by the CA, that's why we have asymmetry here, with the private key not considered part of the "CA data". `puppet cert generate` is not a CA function. It can be called from other functional roles in the puppet suite, and that's why we moved it from the 'puppetca' name. ---------------------------------------- Bug #7929: puppetca --generate should create private_keys files under ca/ directory https://projects.puppetlabs.com/issues/7929 Author: Chris Phillips Status: Rejected Priority: Low Assignee: Nigel Kersten Category: SSL Target version: Affected Puppet version: Keywords: Branch: When the --generate function is called from puppetca a copy of the signed cert is placed in ssl/certs/ and ssl/ca/signed/. The private key however is only placed in ssl/private_keys/. As this is a "CA" function the private key should be held under the conceptually "central" ca location, not just in the "client" location. My specific issue is that in order to integrate with cobbler on a different system I have ssl/ca/ exported read only over NFS and mounted in the same location on the cobbler. This is to let me run a generate and automatically pull the key and cert into the kickstart to remove the need for auto signing. I'm not saying this is the slickest greatest way to do things, but logically surely that "centrally created" private key should be reachable in the same way the cert already is? At present the script that calls the generate copies the private_key manually afterwards. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
