Welcome to SSLandia: PKI Improvements in Puppet 6

Transcript

1. Welcome to SSLandia
   Eric Sorenson // [email protected] // @ahpook
   

   View Slide

2. Basic PKI Operations
   

   View Slide

3. • Reverse DNS
   • /etc/pki/anything
   • Phases of the moon
   • Using polite language
   • Hostname somewhere in cert
   • Validity Period
   • CA chain
   • Not in the CRL
   No
   Yes
   Does the PKI Care about…
   

   View Slide

4. Puppet 6 PKI
   # puppetserver ca setup
   

   View Slide

5. Infrastructure CRL
   # puppetserver/conf.d/ca.conf
   certificate-authority {
   enable-infra-crl: true
   }
   # puppet/ssl/ca/infra_inventory.txt
   puppetdb.mydomain.com
   puppetmaster1.mydomain.com
   

   View Slide

6. Policy Autosigning
   autosign-validator
   # autosign generate foo.example.eu
   eyJ0eXAiOiJK….
   # puppet/puppet.conf
   [master]
   autosign = /usr/local/bin/autosign-
   validate
   # puppet/ssl/ca/infra_inventory.txt
   puppetdb.mydomain.com
   puppetmaster1.mydomain.com
   

   View Slide

7. New `puppet ssl`
   subcommand
   Only operations that make
   sense for agents…
   puppet ssl [--certname
   ]
   ACTIONS
   -------
   * submit_request:
   * download_cert:
   * verify:
   

   View Slide

8. puppetserver
   ca CLI
   Only operations
   that make sense
   for certificate
   authorities…
   Usage: puppetserver ca [options]
   Certificate Actions (requires a running Puppet Server):
   clean Revoke cert(s) and remove related files from CA
   generate Generate a new certificate signed by the CA
   list List certificates and CSRs
   revoke Revoke certificate(s)
   sign Sign certificate request(s)
   Initialization Actions (requires Puppet Server to be stopped):
   import Import an external CA chain and generate master PKI
   setup Setup a self-signed CA chain for Puppet Server
   

   View Slide

9. • Better Availability
   • API improvements (maybe tomorrow?)
   • External CA proxying
   Next
   steps
   

   View Slide