On Mon, Jul 12, 2010 at 7:21 AM, Alex Howells <[email protected]> wrote: > On 12 July 2010 13:41, Bryan Kearney <[email protected]> wrote: >> On 07/09/2010 07:16 PM, Al Tobey wrote: >>> >>> I've been working on setting up a puppet deployment using an external CA >>> that signs certs for my puppet masters rather than using the internal >>> self-signed certs. Along the way, I wanted to try having the >>> certificate chain available on the agents so I added the >>> "localcacertdir" option to puppet. localcacertdir points at a >>> directory with all the required certs in it with the hash symlinks set >>> up as openssl likes them (see openssl x509 -hash). I later found that >>> this option is not necessary for normal operation once the CRL checks >>> are relaxed a bit with the next patch, and am sending it here in case >>> somebody else will find use for it. >> >> What would this directory look like? I have a similar goal (external >> Certificate management) and I have not run across a standard layout. I am by >> no means an openssl expert though :) > > I'm pretty interested in seeing if we can sling Puppet off Certmaster -- > > https://fedorahosted.org/certmaster/ > > At the end of the day I'm after a way to allow clients to talk to > multiple Puppet servers, and a way to effectively manage a huge number > of certificates. I've not found that perfect way yet. ;)
Certmaster will likely not help much. It's just a clone of what Puppet does for certs but written in python since it was originally part of Func. I thought seriously about something like Dogtag PKI or OpenCA, but both of those suites are extreme overkill for what most of us are trying to accomplish. That said, it should be entirely possible to hang Puppet off certmaster as long as you get Puppet pointed at the right certs. Puppet just uses standard OpenSSL under the covers, so the certs should copy around just fine. The problems I'm working on will be what you run into - how to do authentication and revocation in a multiple-PKI world. That has always sucked and still does, which I believe is part of the reason why Luke originally went with the approach he did in Puppet. -Al > -- > You received this message because you are subscribed to the Google Groups > "Puppet Developers" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/puppet-dev?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en.
