Hi,
I haven't built this kind of scheme, but yes, Puppet should be able to
do this for you.
You will have to implement
1. A defined type that signs a cert for a given CN.
2. A custom fact that holds all signed certificates in a hash structure
suitable for
3. A defined type that wraps the export of
4. A defined type that installs a certificate from PEM input at the
appropriate location.
Each agent node that needs a cert will *export* the "sign cert" resource.
@@cert_to_sign { "service-x": cn => $fqdn, target =>
'/some/cert/location.pem' }
The CA machine collects all these requests.
Cert_to_sign<<| |>>
It also exports these certificates back to the requestors.
create_resources('export_signed_cert', $signed_cert_list) # <- this is
the custom fact
define export_signed_cert($cn,$target,$pem_content) {
@@signed_cert { $name: cn => $cn, target => $cn, content =>
$pem_content }
}
Then each agent can import its own certificates.
Signed_cert<<| cn == $fqdn |>>
This is all quite abstract and I'm not sure I've thought everything
through. But this could be a rough design for what you need.
HTH,
Felix
On 01/03/2015 02:34 AM, Tom Noonan wrote:
> Hello, list:
> I'm looking for information/tutorials on using Puppet to generate
> SSL certs for a service managed by Puppet, not Puppet itself. What I
> would like to do is give Puppet access to internal CA keys and have it
> generate and sign certs for services it manages. This will allow me to
> use CA certs for trust without the pain of hand managing my CA.
> I'm hoping someone had trod this path and can provide pointers, as
> this is difficult to Google as I'm not interested in Puppet's internal
> certs. Thanks.
>
> --Tom Noonan II
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/54AC7279.3080807%40Alumni.TU-Berlin.de.
For more options, visit https://groups.google.com/d/optout.
