[snip] The hard part it turns out is getting some custom data into the SSL cert to > begin with. The CSR thats generated does not get generated with > 'certdnsnames' embedded in it, thats done purely on the Signing side (aka, > your puppet ca). I had hoped I could set 'certdnsnames' on the client and > that would be passed to the server in some way, but its not. >
I think I might have a solution for this problem: Instead of using the Puppet CA functionality in Puppet, I created a simple CA using just OpenSSL. So both a puppet client and a puppetmaster get a cert that is signed by this CA (the only thing you need to do in the puppet.conf of the puppetmaster is put ca=false in before you start it the first time). That way, I can distribute "pre-signed" certificates to my puppet clients and puppetmasters. This also means that you can simply embed a custom "subjectAltname" directive in the openssl.conf file used to sign the client cert. Below the relevant parts of my openssl.conf: x509_extensions = usr_cert [ usr_cert ] basicConstraints = critical, CA:FALSE keyUsage = digitalSignature, keyEncipherment extendedKeyUsage = serverAuth, clientAuth, emailProtection subjectKeyIdentifier = hash subjectAltname = <your custom class> The reason I work like this: I use a custom JeOS ISO to install my machines, which contains a host specific RPM/DEB containing the certs for that client. This way, I can easily reprovision the machine, let it automatically connect to the puppetmaster and get it configured, all fully automatic, and without the security concerns autosigning brings. Added bonus, using ISO's instead of VM templates or something similar, is that ISO's are perfectly agnostic of what virtual/physical infrastructure you have. kristof -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
