On Jul 12, 2010, at 10:40, Al Tobey <[email protected]> wrote: > On Mon, Jul 12, 2010 at 7:21 AM, Alex Howells <[email protected]> wrote: >> On 12 July 2010 13:41, Bryan Kearney <[email protected]> wrote: >>> On 07/09/2010 07:16 PM, Al Tobey wrote: >>>> >>>> I've been working on setting up a puppet deployment using an external CA >>>> that signs certs for my puppet masters rather than using the internal >>>> self-signed certs. Along the way, I wanted to try having the >>>> certificate chain available on the agents so I added the >>>> "localcacertdir" option to puppet. localcacertdir points at a >>>> directory with all the required certs in it with the hash symlinks set >>>> up as openssl likes them (see openssl x509 -hash). I later found that >>>> this option is not necessary for normal operation once the CRL checks >>>> are relaxed a bit with the next patch, and am sending it here in case >>>> somebody else will find use for it. >>> >>> What would this directory look like? I have a similar goal (external >>> Certificate management) and I have not run across a standard layout. I am by >>> no means an openssl expert though :) >> >> I'm pretty interested in seeing if we can sling Puppet off Certmaster -- >> >> https://fedorahosted.org/certmaster/ >> >> At the end of the day I'm after a way to allow clients to talk to >> multiple Puppet servers, and a way to effectively manage a huge number >> of certificates. I've not found that perfect way yet. ;) > > Certmaster will likely not help much. It's just a clone of what > Puppet does for certs but written in python since it was originally > part of Func. I thought seriously about something like Dogtag PKI or > OpenCA, but both of those suites are extreme overkill for what most of > us are trying to accomplish. > > That said, it should be entirely possible to hang Puppet off > certmaster as long as you get Puppet pointed at the right certs. > Puppet just uses standard OpenSSL under the covers, so the certs > should copy around just fine. The problems I'm working on will be > what you run into - how to do authentication and revocation in a > multiple-PKI world. That has always sucked and still does, which I > believe is part of the reason why Luke originally went with the > approach he did in Puppet.
Indeed, and I'm quite happy to see you and Bryan working on extending the basic functionality that Puppet has. -- Sent from mobile device | +1-615-594-8199 -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en.
