How do you manage SSL/TLS certificates and private keys?

[Vaidas Jablonskis]

Hi People,

I would like some insight from you on how to easily manage SSL certs/keys.

My puppet infrastructure is pretty straight forward: puppet3+puppetdb+hiera+hiera-gpg.

I am in the process of writing tons of modules, which are pretty general modules with no hardcoded dependencies between them. As I am going forward with building modules and stuff I came across an issue how to manage SSL certs.

Let me give you an example scenario:

I have a node named "node.example.com" which gets some apps configured by puppet by 3 different modules, let's call them app1, app2 and app3. Those application require SSL certificates to function properly. The CN of the cert needs to reflect the hostname of the node.

What options do I have here? From my opinion I could:

1. Use hiera text blocks and store certs/keys in hiera/hiera-gpg in a variable something like: "ssl_cert_node.example.com" and "ssl_key_node.example.com" and then reference this variable inside a module using variables so nothing is hardcoded.

2. Build an SSL module which would distribute certs/keys taken from hiera/hiera-gpg.

Any other ideas? I do not want to use module dependencies and I hate hardcoding stuff into modules.

Thanks,

Vaidas

[Matt Zagrabelny]

I use the "private" area in the puppet file server.

$ cat /etc/puppet/fileserver.conf
[private]
path /etc/puppet/private/%h
allow *

For example:

file { "/etc/ssh/ssh_host_dsa_key":
mode => 0600,
source => "puppet:///private/etc/ssh/ssh_host_dsa_key",
require => Class["ssh::install"],
notify => Service["ssh"],
}

-mz

[Vaidas Jablonskis]

That would work if I didn't want to have everything under version control. I guess the only option for storing certs/keys I have is hiera-gpg with yaml or some other backend.

I am still trying to figure out what should distribute certs/keys - is it a separate module or the app module itself? What would be the best practice in this case?

Thanks