Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Welcome to SSLandia: PKI Improvements in Puppet 6

Welcome to SSLandia: PKI Improvements in Puppet 6

This presentation goes over improvements in the certificate authority and agent certificate lifecycle in Puppet 6 and Puppet Enterprise 2019.

It introduces the certificate lifecycle and covers intermediate CAs, CRL updates, policy autosigning, and command line interactions.

Presented at Configuration Management Camp in Ghent, Belgium on 5 Feb 2019.

Eric Sorenson

February 05, 2019
Tweet

More Decks by Eric Sorenson

Other Decks in Technology

Transcript

  1. Welcome to SSLandia
    Eric Sorenson // [email protected] // @ahpook

    View full-size slide

  2. Basic PKI Operations

    View full-size slide

  3. • Reverse DNS
    • /etc/pki/anything
    • Phases of the moon
    • Using polite language
    • Hostname somewhere in cert
    • Validity Period
    • CA chain
    • Not in the CRL
    No
    Yes
    Does the PKI Care about…

    View full-size slide

  4. Puppet 6 PKI
    # puppetserver ca setup

    View full-size slide

  5. Infrastructure CRL
    # puppetserver/conf.d/ca.conf
    certificate-authority {
    enable-infra-crl: true
    }
    # puppet/ssl/ca/infra_inventory.txt
    puppetdb.mydomain.com
    puppetmaster1.mydomain.com

    View full-size slide

  6. Policy Autosigning
    autosign-validator
    # autosign generate foo.example.eu
    eyJ0eXAiOiJK….
    # puppet/puppet.conf
    [master]
    autosign = /usr/local/bin/autosign-
    validate
    # puppet/ssl/ca/infra_inventory.txt
    puppetdb.mydomain.com
    puppetmaster1.mydomain.com

    View full-size slide

  7. New `puppet ssl`
    subcommand
    Only operations that make
    sense for agents…
    puppet ssl [--certname
    ]
    ACTIONS
    -------
    * submit_request:
    * download_cert:
    * verify:

    View full-size slide

  8. puppetserver
    ca CLI
    Only operations
    that make sense
    for certificate
    authorities…
    Usage: puppetserver ca [options]
    Certificate Actions (requires a running Puppet Server):
    clean Revoke cert(s) and remove related files from CA
    generate Generate a new certificate signed by the CA
    list List certificates and CSRs
    revoke Revoke certificate(s)
    sign Sign certificate request(s)
    Initialization Actions (requires Puppet Server to be stopped):
    import Import an external CA chain and generate master PKI
    setup Setup a self-signed CA chain for Puppet Server

    View full-size slide

  9. • Better Availability
    • API improvements (maybe tomorrow?)
    • External CA proxying
    Next
    steps

    View full-size slide