On 12 July 2010 13:41, Bryan Kearney <[email protected]> wrote:
> On 07/09/2010 07:16 PM, Al Tobey wrote:
>>
>> I've been working on setting up a puppet deployment using an external CA
>> that signs certs for my puppet masters rather than using the internal
>> self-signed certs. Along the way, I wanted to try having the
>> certificate chain available on the agents so I added the
>> "localcacertdir" option to puppet. localcacertdir points at a
>> directory with all the required certs in it with the hash symlinks set
>> up as openssl likes them (see openssl x509 -hash). I later found that
>> this option is not necessary for normal operation once the CRL checks
>> are relaxed a bit with the next patch, and am sending it here in case
>> somebody else will find use for it.
>
> What would this directory look like? I have a similar goal (external
> Certificate management) and I have not run across a standard layout. I am by
> no means an openssl expert though :)
I'm pretty interested in seeing if we can sling Puppet off Certmaster --
https://fedorahosted.org/certmaster/
At the end of the day I'm after a way to allow clients to talk to
multiple Puppet servers, and a way to effectively manage a huge number
of certificates. I've not found that perfect way yet. ;)
--
You received this message because you are subscribed to the Google Groups
"Puppet Developers" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-dev?hl=en.
