Steps:
1. Create Certificate Profile: SubCA-OCSP Incapable
2. Create End Entity Profile: SubCA
3. Create End Entity: ARSWiki Puppet Certificate Authority
4. Update /etc/puppet/puppet.conf, add dns_alt_names
5. Backup Canned Certificates
# tar -cvzf /var/lib/puppet/ssl.tgz -C /var/lib/puppet/ ./ssl
# find /var/lib/puppet/ssl -type f |sort
/var/lib/puppet/ssl/ca/ca_crl.pem
/var/lib/puppet/ssl/ca/ca_crt.pem
/var/lib/puppet/ssl/ca/ca_key.pem
/var/lib/puppet/ssl/ca/ca_pub.pem
/var/lib/puppet/ssl/ca/inventory.txt
/var/lib/puppet/ssl/ca/private/ca.pass
/var/lib/puppet/ssl/ca/serial
/var/lib/puppet/ssl/ca/signed/puppet01.home.arswiki.org.pem
/var/lib/puppet/ssl/certs/ca.pem
/var/lib/puppet/ssl/certs/puppet01.home.arswiki.org.pem
/var/lib/puppet/ssl/crl.pem
/var/lib/puppet/ssl/private_keys/puppet01.home.arswiki.org.pem
/var/lib/puppet/ssl/public_keys/puppet01.home.arswiki.org.pem
6. List All Certificates
# puppet cert list --all
7. List CA Certificates
# puppet ca list --all
+
puppet01.home.arswiki.org (SHA256) BB:98:85:8B:A9:B7:D9:85:E4:A3:A0:0A:03:E8:D6:D5:A4:22:6E:9E:A8:3A:6F:0B:AB:33:A7:24:DA:22:30:10
8. Delete CA Certificates
rm /var/lib/puppet/ssl/ca/ca_crt.pem
rm /var/lib/puppet/ssl/ca/signed/puppet01.home.arswiki.org.pem
rm /var/lib/puppet/ssl/certs/ca.pem
rm /var/lib/puppet/ssl/certs/puppet01.home.arswiki.org.pem
rm /var/lib/puppet/ssl/private_keys/puppet01.home.arswiki.org.pem
rm /var/lib/puppet/ssl/public_keys/puppet01.home.arswiki.org.pem
rm /var/lib/puppet/ssl/ca/inventory.txt
rm /var/lib/puppet/ssl/ca/serial
9. Create /var/lib/puppet/ssl/openssl.cnf
10. Create CA CSR Using Self-Generated Private Key
# openssl req -new -key /var/lib/puppet/ssl/ca/ca_key.pem -out /var/lib/puppet/ssl/ca/ca.csr
11. Sign the CSR using EJBCA (Create Certificate from CSR)
12. Place the CA Certificate in the following files:
/var/lib/puppet/ssl/ca/ca_crt.pem
/var/lib/puppet/ssl/certs/ca.pem
13. Verify the contents of the CA Certificate
# openssl x509 -in /var/lib/puppet/ssl/certs/ca.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2224291428406243509 (0x1ede4544f319b0b5)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=ARSWiki Root CA, O=ARSWiki, C=US
Validity
Not Before: Mar 18 04:09:59 2014 GMT
Not After : Mar 11 03:53:29 2034 GMT
X509v3 extensions:
X509v3 Subject Key Identifier:
xxx
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Authority Key Identifier:
keyid:xxx
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
14. Copy the CA Cert into it's other location
cp /var/lib/puppet/ssl/certs/ca.pem /var/lib/puppet/ssl/ca/ca_crt.pem
15. Manually create /var/lib/puppet/ssl/ca/inventory.txt
0x0003 2014-03-18T04:09:59UTC 2034-03-11T03:53:29UTC /CN=ARSWiki Puppet Certificate Authority
16. Manually create /var/lib/puppet/ssl/ca/serial
0004
17. Generate a new certificate for the server
18. Set file ownership and permissions
chown -R puppet:puppet /var/lib/puppet/ssl
chmod 660 /var/lib/puppet/ssl/ca/ca_crt.pem
chmod 644 /var/lib/puppet/ssl/certs/ca.pem
chmod 660 /var/lib/puppet/ssl/ca/private/ca.pass
chmod 660 /var/lib/puppet/ssl/ca/ca_key.pem
chmod 640 /var/lib/puppet/ssl/ca/ca_pub.pem
chmod 644 /var/lib/puppet/ssl/ca/inventory.txt
chmod 644 /var/lib/puppet/ssl/ca/serial
chmod 664 /var/lib/puppet/ssl/ca/ca_crl.pem
chmod 644 /var/lib/puppet/ssl/crl.pem
Axton Grams