Using existing CA certificate for Puppet CA service.
1,073 views
Skip to first unread message
maks N
Feb 21, 2014, 2:21:31 PM2/21/14
to puppet...@googlegroups.com
Hi to all.
I have CA with root certificate "rootCA.pem", and intermediate CA certificate "puppetRootCA.pem" (signed by rootCA.pem) for Puppet infrastructure. I want that Puppet CA subsystem use certs and keys puppetRootCA.pem and puppetRootCA.key.
In documentation written (in section Supported External CA Configurations ): "These configurations are all-or-nothing rather than mix-and-match. When using an external CA, the built in Puppet CA service must be disabled and cannot be used to issue SSL certificates."
Is it possible to use puppetRootCA.pem with enabled "ca = true" in puppet.conf?
axton...@gmail.com
Mar 17, 2014, 10:43:21 PM3/17/14
to puppet...@googlegroups.com
I would like to do the same thing. I am using EJBCA and I would like to sign an external CA for use by Puppet, as outlined here:
This should allow Puppet to manage/issue certificates for that SubCA just as it would with the self-signed CA created during the Puppet installation. I will post my findings when I work through this.
Axton Grams
axton...@gmail.com
Mar 18, 2014, 6:14:52 PM3/18/14
to puppet...@googlegroups.com
So I was able to get this working. There may be a better/cleaner way to do this, but this works for my needs. This was done on Debian wheezy using the latest packages from http://apt.puppetlabs.com. For the new CA certificate, I used the same parameters and extensions defined in the original CA certificate. The only thing I have not found out how to do properly is to recreate the CRL. The CRL in place using the steps below is the original CRL created during the installation process. I have not yet done extensive testing to verify everything is working properly yet, but I can access the web interface (apache via puppetmaster-passenger) and it is using my CA. I am new to puppet, so there may be things not working that I am not yet aware of.
I found the following sites helpful when working through this:
Steps:
1. Create Certificate Profile: SubCA-OCSP Incapable
2. Create End Entity Profile: SubCA
3. Create End Entity: ARSWiki Puppet Certificate Authority
4. Update /etc/puppet/puppet.conf, add dns_alt_names
5. Backup Canned Certificates
# tar -cvzf /var/lib/puppet/ssl.tgz -C /var/lib/puppet/ ./ssl
# find /var/lib/puppet/ssl -type f |sort
/var/lib/puppet/ssl/ca/ca_crl.pem
/var/lib/puppet/ssl/ca/ca_crt.pem
/var/lib/puppet/ssl/ca/ca_key.pem
/var/lib/puppet/ssl/ca/ca_pub.pem
/var/lib/puppet/ssl/ca/inventory.txt
/var/lib/puppet/ssl/ca/private/ca.pass
/var/lib/puppet/ssl/ca/serial
/var/lib/puppet/ssl/ca/signed/puppet01.home.arswiki.org.pem
/var/lib/puppet/ssl/certs/ca.pem
/var/lib/puppet/ssl/certs/puppet01.home.arswiki.org.pem
/var/lib/puppet/ssl/crl.pem
/var/lib/puppet/ssl/private_keys/puppet01.home.arswiki.org.pem
/var/lib/puppet/ssl/public_keys/puppet01.home.arswiki.org.pem
6. List All Certificates
# puppet cert list --all
+ "puppet01.home.arswiki.org" (SHA256) BB:98:85:8B:A9:B7:D9:85:E4:A3:A0:0A:03:E8:D6:D5:A4:22:6E:9E:A8:3A:6F:0B:AB:33:A7:24:DA:22:30:10 (alt names: "DNS:puppet", "DNS:puppet.home.arswiki.org", "DNS:puppet01.home.arswiki.org")
7. List CA Certificates
# puppet ca list --all
+ puppet01.home.arswiki.org (SHA256) BB:98:85:8B:A9:B7:D9:85:E4:A3:A0:0A:03:E8:D6:D5:A4:22:6E:9E:A8:3A:6F:0B:AB:33:A7:24:DA:22:30:10
8. Delete CA Certificates
rm /var/lib/puppet/ssl/ca/ca_crt.pem
rm /var/lib/puppet/ssl/ca/signed/puppet01.home.arswiki.org.pem
rm /var/lib/puppet/ssl/certs/ca.pem
rm /var/lib/puppet/ssl/certs/puppet01.home.arswiki.org.pem
rm /var/lib/puppet/ssl/private_keys/puppet01.home.arswiki.org.pem
rm /var/lib/puppet/ssl/public_keys/puppet01.home.arswiki.org.pem
rm /var/lib/puppet/ssl/ca/inventory.txt
rm /var/lib/puppet/ssl/ca/serial
9. Create /var/lib/puppet/ssl/openssl.cnf
10. Create CA CSR Using Self-Generated Private Key
# openssl req -new -key /var/lib/puppet/ssl/ca/ca_key.pem -out /var/lib/puppet/ssl/ca/ca.csr
11. Sign the CSR using EJBCA (Create Certificate from CSR)
12. Place the CA Certificate in the following files:
/var/lib/puppet/ssl/ca/ca_crt.pem
/var/lib/puppet/ssl/certs/ca.pem
13. Verify the contents of the CA Certificate
# openssl x509 -in /var/lib/puppet/ssl/certs/ca.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2224291428406243509 (0x1ede4544f319b0b5)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=ARSWiki Root CA, O=ARSWiki, C=US
Validity
Not Before: Mar 18 04:09:59 2014 GMT
Not After : Mar 11 03:53:29 2034 GMT
X509v3 extensions:
X509v3 Subject Key Identifier:
xxx
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Authority Key Identifier:
keyid:xxx
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
14. Copy the CA Cert into it's other location
cp /var/lib/puppet/ssl/certs/ca.pem /var/lib/puppet/ssl/ca/ca_crt.pem
15. Manually create /var/lib/puppet/ssl/ca/inventory.txt
0x0003 2014-03-18T04:09:59UTC 2034-03-11T03:53:29UTC /CN=ARSWiki Puppet Certificate Authority
16. Manually create /var/lib/puppet/ssl/ca/serial
0004
17. Generate a new certificate for the server
# puppet cert --generate puppet01.home.arswiki.org
18. Set file ownership and permissions
chown -R puppet:puppet /var/lib/puppet/ssl
chmod 660 /var/lib/puppet/ssl/ca/ca_crt.pem
chmod 644 /var/lib/puppet/ssl/certs/ca.pem
chmod 660 /var/lib/puppet/ssl/ca/private/ca.pass
chmod 660 /var/lib/puppet/ssl/ca/ca_key.pem
chmod 640 /var/lib/puppet/ssl/ca/ca_pub.pem
chmod 644 /var/lib/puppet/ssl/ca/inventory.txt
chmod 644 /var/lib/puppet/ssl/ca/serial
chmod 664 /var/lib/puppet/ssl/ca/ca_crl.pem
chmod 644 /var/lib/puppet/ssl/crl.pem
Axton Grams
Florian Sachs
Jun 6, 2014, 2:04:37 AM6/6/14
to puppet...@googlegroups.com
Hi,
How are your experiences with this setup? Did you encounter any problems? Have you been able to solve the CRL-problem?
I am about to implement the same configuration and you post was the best one, describing a solution, so I would like to hear if it worked out.
best regards,
florian
How are your experiences with this setup? Did you encounter any problems? Have you been able to solve the CRL-problem?
I am about to implement the same configuration and you post was the best one, describing a solution, so I would like to hear if it worked out.
best regards,
florian
Reply all
Reply to author
Forward
0 new messages