I've done this for a few nodes but I'm not sure how this would be an improvement over just enabling autosign. Private keys should remain private to a node and should never be transmitted over the network if possible.
On Wednesday, March 28, 2018 at 3:10:35 PM UTC-4, Eric Sorenson wrote: > > Is anybody out there pre-generating certificates for your agents? I've > heard whispered tales of some folks doing this but we're starting work on > improving the CA / signing / revocation workflow and it'd be great to talk > to somebody directly. The workflow would be using 'puppet cert generate' on > the master/CA then distributing both the private key and the resulting > certificate in some secure, out-of-band mechanism (cloud-init?) to the > nodes, so the agent finds the CA cert as well as its own key/cert pair > ready and waiting when it starts up, bypassing the CSR > generation/submission completely. > > --eric0 > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/7a75eaf6-b71a-4b34-9b76-fe6dbf6f96fd%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
