On Fri, Mar 9, 2012 at 6:15 PM, Jonathan Proulx <[email protected]> wrote:
> I'm OK with flushing all my certs and starting over, but I have a
> couple of questions. How does the puppet CA populate the altName
> field? and can I make it do what I want for both the CA and the non-CA
> servers or do I just need to suck it up, go get cozy with the openssl
> docs and do the server certs by hand if I want them fancy like that?
Jon, what version of Puppet are you running?
I can't seem to find a doc on this that isn't release notes, so we
should probably get a documentation bug in.
You can set 'dns_alt_names' either in your puppet.conf or on the
command line when the node generates a CSR.
Then you can use "allow-dns-alt-names" when signing the certificate on
the CA to approve those alt names.
Alternatively, you can use "puppet certificate generate" on the CA and
manually transmit the certificate/key to the node.
$ puppet help certificate sign
USAGE: puppet certificate sign [--terminus TERMINUS]
[--extra HASH]
<--ca-location LOCATION>
[--[no-]allow-dns-alt-names]
<host>
Sign a certificate signing request for HOST.
RETURNS: A string that appears to be (but isn't) an x509 certificate.
OPTIONS:
--mode MODE - The run mode to use (user, agent, or master).
--render-as FORMAT - The rendering format to use.
--verbose - Whether to log verbosely.
--debug - Whether to log debug information.
--[no-]allow-dns-alt-names - Whether or not to accept DNS alt names in the
certificate request
--ca-location LOCATION - Which certificate authority to use (local or
remote).
--extra HASH - Extra arguments to pass to the indirection
request
--terminus TERMINUS - The indirector terminus to use.
TERMINI: ca, file, rest
See 'puppet man certificate' or 'man puppet-certificate' for full help.
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
