Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Welcome to SSLandia: PKI Improvements in Puppet 6

Eric Sorenson
February 05, 2019

Welcome to SSLandia: PKI Improvements in Puppet 6

This presentation goes over improvements in the certificate authority and agent certificate lifecycle in Puppet 6 and Puppet Enterprise 2019.

It introduces the certificate lifecycle and covers intermediate CAs, CRL updates, policy autosigning, and command line interactions.

Presented at Configuration Management Camp in Ghent, Belgium on 5 Feb 2019.

Eric Sorenson

February 05, 2019
Tweet

More Decks by Eric Sorenson

Other Decks in Technology

Transcript

  1. • Reverse DNS • /etc/pki/anything • Phases of the moon

    • Using polite language • Hostname somewhere in cert • Validity Period • CA chain • Not in the CRL No Yes Does the PKI Care about…
  2. Infrastructure CRL # puppetserver/conf.d/ca.conf certificate-authority { enable-infra-crl: true } #

    puppet/ssl/ca/infra_inventory.txt puppetdb.mydomain.com puppetmaster1.mydomain.com
  3. Policy Autosigning autosign-validator # autosign generate foo.example.eu eyJ0eXAiOiJK…. # puppet/puppet.conf

    [master] autosign = /usr/local/bin/autosign- validate # puppet/ssl/ca/infra_inventory.txt puppetdb.mydomain.com puppetmaster1.mydomain.com
  4. New `puppet ssl` subcommand Only operations that make sense for

    agents… puppet ssl <action> [--certname <NAME>] ACTIONS ------- * submit_request: * download_cert: * verify:
  5. puppetserver ca CLI Only operations that make sense for certificate

    authorities… Usage: puppetserver ca <action> [options] Certificate Actions (requires a running Puppet Server): clean Revoke cert(s) and remove related files from CA generate Generate a new certificate signed by the CA list List certificates and CSRs revoke Revoke certificate(s) sign Sign certificate request(s) Initialization Actions (requires Puppet Server to be stopped): import Import an external CA chain and generate master PKI setup Setup a self-signed CA chain for Puppet Server