----- "Luke Kanies" <[email protected]> wrote: > On Jul 1, 2010, at 14:14, Bryan Kearney <[email protected]> wrote: > > > Next questions.. again. my goal is to have puppet work with an > external set of x.509 credentials. > > > > (1) When puppetmasterd starts up, it creates a CSR for $certname. > What is this certificate used for? I would assume that the CA's cert > and keys would be used in all SSL communication. Is that not correct? > > Nope - the CA cert is only ever used for signing certs and CRLs. > Each > host has a separate cert for actual communication. > > I can't verify atm, but I think CA cert can't even be used for > communication.
It verifies that the clients are signed by the ca using the ca cert doesnt it? Or does it just check the master cert and the client cert is from the same ca? > > > (2) If puppetd is being used to manage the same machine as the > puppetmaster, then would they share this same certificate and > public/private key? > > Yep, assuming they're started with the same certname. But they don't > have to be. > > -- > Luke Kanies | +1-615-594-8199 > > -- > You received this message because you are subscribed to the Google > Groups "Puppet Developers" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/puppet-dev?hl=en. -- R.I.Pienaar -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en.
