Pre-generated certificates?
43 views
Skip to first unread message
Eric Sorenson
Mar 28, 2018, 3:10:35 PM3/28/18
to Puppet Users
Is anybody out there pre-generating certificates for your agents? I've heard whispered tales of some folks doing this but we're starting work on improving the CA / signing / revocation workflow and it'd be great to talk to somebody directly. The workflow would be using 'puppet cert generate' on the master/CA then distributing both the private key and the resulting certificate in some secure, out-of-band mechanism (cloud-init?) to the nodes, so the agent finds the CA cert as well as its own key/cert pair ready and waiting when it starts up, bypassing the CSR generation/submission completely.
--eric0
Michael Watters
Mar 31, 2018, 3:23:27 PM3/31/18
to Puppet Users
I've done this for a few nodes but I'm not sure how this would be an improvement over just enabling autosign. Private keys should remain private to a node and should never be transmitted over the network if possible.
Eric Sorenson
Apr 2, 2018, 3:52:50 PM4/2/18
to puppet...@googlegroups.com
Yeah, it's a bit of an outlier workflow but I figured I'd ask. The deafening silence indicates it's probably not a use-case we need to treat specially.
--eric0
--
You received this message because you are subscribed to a topic in the Google Groups "Puppet Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/puppet-users/rmC7RsQEUwU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to puppet-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/7a75eaf6-b71a-4b34-9b76-fe6dbf6f96fd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Martin Alfke
Apr 5, 2018, 12:26:43 PM4/5/18
to puppet...@googlegroups.com
I can only think of pre-generating certificates when using an external CA and not using an intermediate CA on the Puppet master....
> On 2. Apr 2018, at 21:52, Eric Sorenson <er...@puppet.com> wrote:
>
> Yeah, it's a bit of an outlier workflow but I figured I'd ask. The deafening silence indicates it's probably not a use-case we need to treat specially.
>
> --eric0
>
> On Sat, Mar 31, 2018 at 12:23 PM, Michael Watters <watt...@gmail.com> wrote:
> I've done this for a few nodes but I'm not sure how this would be an improvement over just enabling autosign. Private keys should remain private to a node and should never be transmitted over the network if possible.
>
> On Wednesday, March 28, 2018 at 3:10:35 PM UTC-4, Eric Sorenson wrote:
> Is anybody out there pre-generating certificates for your agents? I've heard whispered tales of some folks doing this but we're starting work on improving the CA / signing / revocation workflow and it'd be great to talk to somebody directly. The workflow would be using 'puppet cert generate' on the master/CA then distributing both the private key and the resulting certificate in some secure, out-of-band mechanism (cloud-init?) to the nodes, so the agent finds the CA cert as well as its own key/cert pair ready and waiting when it starts up, bypassing the CSR generation/submission completely.
>
> --eric0
>
> --
> You received this message because you are subscribed to a topic in the Google Groups "Puppet Users" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/topic/puppet-users/rmC7RsQEUwU/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to puppet-users...@googlegroups.com.
> You received this message because you are subscribed to the Google Groups "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CANDjyOucHVejmfGR7%3D6MXNxrZRvkJOHq%2BiThm7LOAMG%2BU%3Dqg8w%40mail.gmail.com.
> On 2. Apr 2018, at 21:52, Eric Sorenson <er...@puppet.com> wrote:
>
> Yeah, it's a bit of an outlier workflow but I figured I'd ask. The deafening silence indicates it's probably not a use-case we need to treat specially.
>
> --eric0
>
> On Sat, Mar 31, 2018 at 12:23 PM, Michael Watters <watt...@gmail.com> wrote:
> I've done this for a few nodes but I'm not sure how this would be an improvement over just enabling autosign. Private keys should remain private to a node and should never be transmitted over the network if possible.
>
> On Wednesday, March 28, 2018 at 3:10:35 PM UTC-4, Eric Sorenson wrote:
> Is anybody out there pre-generating certificates for your agents? I've heard whispered tales of some folks doing this but we're starting work on improving the CA / signing / revocation workflow and it'd be great to talk to somebody directly. The workflow would be using 'puppet cert generate' on the master/CA then distributing both the private key and the resulting certificate in some secure, out-of-band mechanism (cloud-init?) to the nodes, so the agent finds the CA cert as well as its own key/cert pair ready and waiting when it starts up, bypassing the CSR generation/submission completely.
>
> --eric0
>
> --
> You received this message because you are subscribed to a topic in the Google Groups "Puppet Users" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/topic/puppet-users/rmC7RsQEUwU/unsubscribe.
> To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/7a75eaf6-b71a-4b34-9b76-fe6dbf6f96fd%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
>
> --
> For more options, visit https://groups.google.com/d/optout.
>
>
> You received this message because you are subscribed to the Google Groups "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CANDjyOucHVejmfGR7%3D6MXNxrZRvkJOHq%2BiThm7LOAMG%2BU%3Dqg8w%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages