On 07/12/2010 10:21 AM, Alex Howells wrote:
On 12 July 2010 13:41, Bryan Kearney<[email protected]> wrote:
On 07/09/2010 07:16 PM, Al Tobey wrote:
I've been working on setting up a puppet deployment using an external CA
that signs certs for my puppet masters rather than using the internal
self-signed certs. Along the way, I wanted to try having the
certificate chain available on the agents so I added the
"localcacertdir" option to puppet. localcacertdir points at a
directory with all the required certs in it with the hash symlinks set
up as openssl likes them (see openssl x509 -hash). I later found that
this option is not necessary for normal operation once the CRL checks
are relaxed a bit with the next patch, and am sending it here in case
somebody else will find use for it.
What would this directory look like? I have a similar goal (external
Certificate management) and I have not run across a standard layout. I am by
no means an openssl expert though :)
I'm pretty interested in seeing if we can sling Puppet off Certmaster --
https://fedorahosted.org/certmaster/
At the end of the day I'm after a way to allow clients to talk to
multiple Puppet servers, and a way to effectively manage a huge number
of certificates. I've not found that perfect way yet. ;)
Alex:
Does this patch help:
http://groups.google.com/group/puppet-dev/browse_thread/thread/83ecaa3d5323e4e5
It seems like that thread, and this, are attempting the same thing. If
we could merge them together that would be great.
-- bk
--
You received this message because you are subscribed to the Google Groups "Puppet
Developers" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-dev?hl=en.
