On Wed, Aug 5, 2020 at 9:10 AM alexey....@gmail.com < alexey.potyo...@gmail.com> wrote:
> Is it possible to configure the automatic signing of certificates in such > a way that verification takes place according to a parameter in the config > on the client. For example, the client config will contain the line: > > autosign=5e8ff9bf55ba3508199d22e984129be6 > > Thus, if the md5 hash is correct, then the CA will sign the certificate > I think the thing you're describing is an example of using a CSR Attribute with a policy based autosigner. This is the entry to the docs pages about that: https://puppet.com/docs/puppet/6.17/ssl_attributes_extensions.html. The tl;dr is that you write a special yaml file to the agent and the agent will include the data in that file in its CSR to the CA. Then you configure the CA to call a script you write to decide if the cert should be signed. Your script can then validate that the CSR contains the correct data attached. hth, Justin > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/825db62a-0163-4b51-b9f5-eac183136ae0n%40googlegroups.com > <https://groups.google.com/d/msgid/puppet-users/825db62a-0163-4b51-b9f5-eac183136ae0n%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CA%2B%3DBEqVehMU2GyU9v7idLdGij0d8HZphRKn28QiBdJcvw2KD%2Bw%40mail.gmail.com.
