Re: [Puppet Users] X509v3 Subject Alternative Name in puppet generated certs...

Sat, 10 Mar 2012 13:23:39 -0800 

On Fri, Mar 9, 2012 at 6:15 PM, Jonathan Proulx <j...@jonproulx.com> wrote:

> I'm OK with flushing all my certs and starting over, but I have a
> couple of questions.  How does the puppet CA populate the altName
> field? and can I make it do what I want for both the CA and the non-CA
> servers or do I just need to suck it up, go get cozy with the openssl
> docs and do the server certs by hand if I want them fancy like that?

Jon, what version of Puppet are you running?

I can't seem to find a doc on this that isn't release notes, so we
should probably get a documentation bug in.

You can set 'dns_alt_names' either in your puppet.conf or on the
command line when the node generates a CSR.
Then you can use "allow-dns-alt-names" when signing the certificate on
the CA to approve those alt names.

Alternatively, you can use "puppet certificate generate" on the CA and
manually transmit the certificate/key to the node.

$ puppet help certificate sign
USAGE: puppet certificate sign [--terminus TERMINUS]
[--extra HASH]
<--ca-location LOCATION>
[--[no-]allow-dns-alt-names]
<host>

Sign a certificate signing request for HOST.

RETURNS: A string that appears to be (but isn't) an x509 certificate.

OPTIONS:
  --mode MODE                    - The run mode to use (user, agent, or master).
  --render-as FORMAT             - The rendering format to use.
  --verbose                      - Whether to log verbosely.
  --debug                        - Whether to log debug information.
  --[no-]allow-dns-alt-names     - Whether or not to accept DNS alt names in the
                                   certificate request
  --ca-location LOCATION         - Which certificate authority to use (local or
                                   remote).
  --extra HASH                   - Extra arguments to pass to the indirection
                                   request
  --terminus TERMINUS            - The indirector terminus to use.

TERMINI: ca, file, rest

See 'puppet man certificate' or 'man puppet-certificate' for full help.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Reply via email to