[Puppet - Feature #7243] Additional data in Puppet CSRs (certdnsnames, and custom data)

[tickets]

Issue #7243 has been updated by Patrick Hemmer.

File csr_attributes_file.patch added

Attached is a patch (against puppet 3.1.0) which adds a config parameter called 
`csr_attributes_file`. This is just a yaml file that contains a list of 
attributes to add to the certificate request.

This is an example of what the file's contents look like for my usage

    ---
    1.3.6.1.4.1.34380.2.0: us-west-1a/i-355fb16d
    1.3.6.1.4.1.34380.2.1: MYSUPERSECRETKEY
    1.3.6.1.4.1.34380.3.3: puppet-dashboard-group-name

I also have a patch which I have submitted against bug 7244 that runs an 
external command to verify the certificate. The command grabs the cert, 
extracts the extra parameters, and then authorizes the cert to be signed if 
they're valid.
The basis of the code came from James Turnbull's github pull request, but with 
some fixes added to it.
The code is functional and in use in my own environment.
----------------------------------------
Feature #7243: Additional data in Puppet CSRs (certdnsnames, and custom data)
https://projects.puppetlabs.com/issues/7243#change-83273

Author: Matt Wise
Status: Tests Insufficient
Priority: Normal
Assignee: Daniel Pittman
Category: SSL
Target version: 
Affected Puppet version: 
Keywords: 
Branch: https://github.com/puppetlabs/puppet/pull/806


Puppet Clients currently do not support filling in 'certdnsnames' in their CSR. 
That is only done on the signing-server side of things. This should be updated 
so that either the client, or server can set the certdnsnames (or both). 

In addition to this, the Puppet CSR generation code should allow for the 
addition of arbitrary data in the form of keypairs (foo=xyz) that is embedded 
into the CSR. That data should then be accessible in some way to the Puppet 
master process itself during catalog compilation. This allows for companies to 
build in their own security models around the SSL certs.




-- 
You have received this notification because you have either subscribed to it, 
or are involved in it.
To change your notification preferences, please click here: 
http://projects.puppetlabs.com/my/account

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Bugs" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-bugs+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-bugs@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.