Welcome to SSLandia: PKI Improvements in Puppet 6

Transcript

1. Welcome to SSLandia Eric Sorenson // [email protected] // @ahpook

2. Basic PKI Operations

3. • Reverse DNS • /etc/pki/anything • Phases of the moon

   • Using polite language • Hostname somewhere in cert • Validity Period • CA chain • Not in the CRL No Yes Does the PKI Care about…

4. Puppet 6 PKI # puppetserver ca setup

5. Infrastructure CRL # puppetserver/conf.d/ca.conf certificate-authority { enable-infra-crl: true } #

   puppet/ssl/ca/infra_inventory.txt puppetdb.mydomain.com puppetmaster1.mydomain.com

6. Policy Autosigning autosign-validator # autosign generate foo.example.eu eyJ0eXAiOiJK…. # puppet/puppet.conf

   [master] autosign = /usr/local/bin/autosign- validate # puppet/ssl/ca/infra_inventory.txt puppetdb.mydomain.com puppetmaster1.mydomain.com

7. New `puppet ssl` subcommand Only operations that make sense for

   agents… puppet ssl <action> [--certname <NAME>] ACTIONS ------- * submit_request: * download_cert: * verify:

8. puppetserver ca CLI Only operations that make sense for certificate

   authorities… Usage: puppetserver ca <action> [options] Certificate Actions (requires a running Puppet Server): clean Revoke cert(s) and remove related files from CA generate Generate a new certificate signed by the CA list List certificates and CSRs revoke Revoke certificate(s) sign Sign certificate request(s) Initialization Actions (requires Puppet Server to be stopped): import Import an external CA chain and generate master PKI setup Setup a self-signed CA chain for Puppet Server

9. • Better Availability • API improvements (maybe tomorrow?) • External

   CA proxying Next steps