I can only think of pre-generating certificates when using an external CA and not using an intermediate CA on the Puppet master....
> On 2. Apr 2018, at 21:52, Eric Sorenson <[email protected]> wrote: > > Yeah, it's a bit of an outlier workflow but I figured I'd ask. The deafening > silence indicates it's probably not a use-case we need to treat specially. > > --eric0 > > On Sat, Mar 31, 2018 at 12:23 PM, Michael Watters <[email protected]> wrote: > I've done this for a few nodes but I'm not sure how this would be an > improvement over just enabling autosign. Private keys should remain private > to a node and should never be transmitted over the network if possible. > > On Wednesday, March 28, 2018 at 3:10:35 PM UTC-4, Eric Sorenson wrote: > Is anybody out there pre-generating certificates for your agents? I've heard > whispered tales of some folks doing this but we're starting work on improving > the CA / signing / revocation workflow and it'd be great to talk to somebody > directly. The workflow would be using 'puppet cert generate' on the master/CA > then distributing both the private key and the resulting certificate in some > secure, out-of-band mechanism (cloud-init?) to the nodes, so the agent finds > the CA cert as well as its own key/cert pair ready and waiting when it starts > up, bypassing the CSR generation/submission completely. > > --eric0 > > -- > You received this message because you are subscribed to a topic in the Google > Groups "Puppet Users" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/puppet-users/rmC7RsQEUwU/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/7a75eaf6-b71a-4b34-9b76-fe6dbf6f96fd%40googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/CANDjyOucHVejmfGR7%3D6MXNxrZRvkJOHq%2BiThm7LOAMG%2BU%3Dqg8w%40mail.gmail.com. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/B60014D0-3C81-4C42-BD64-E6263EF03F47%40gmail.com. For more options, visit https://groups.google.com/d/optout.
