SSL Cert automation for service
49 views
Skip to first unread message
Tom Noonan
Jan 4, 2015, 8:46:35 PM1/4/15
to puppet...@googlegroups.com
Hello, list:
I'm looking for information/tutorials on using Puppet to generate
SSL certs for a service managed by Puppet, not Puppet itself. What I
would like to do is give Puppet access to internal CA keys and have it
generate and sign certs for services it manages. This will allow me to
use CA certs for trust without the pain of hand managing my CA.
I'm hoping someone had trod this path and can provide pointers, as
this is difficult to Google as I'm not interested in Puppet's internal
certs. Thanks.
--Tom Noonan II
I'm looking for information/tutorials on using Puppet to generate
SSL certs for a service managed by Puppet, not Puppet itself. What I
would like to do is give Puppet access to internal CA keys and have it
generate and sign certs for services it manages. This will allow me to
use CA certs for trust without the pain of hand managing my CA.
I'm hoping someone had trod this path and can provide pointers, as
this is difficult to Google as I'm not interested in Puppet's internal
certs. Thanks.
--Tom Noonan II
Felix Frank
Jan 6, 2015, 6:40:53 PM1/6/15
to puppet...@googlegroups.com
Hi,
I haven't built this kind of scheme, but yes, Puppet should be able to
do this for you.
You will have to implement
1. A defined type that signs a cert for a given CN.
2. A custom fact that holds all signed certificates in a hash structure
suitable for
3. A defined type that wraps the export of
4. A defined type that installs a certificate from PEM input at the
appropriate location.
Each agent node that needs a cert will *export* the "sign cert" resource.
@@cert_to_sign { "service-x": cn => $fqdn, target =>
'/some/cert/location.pem' }
The CA machine collects all these requests.
Cert_to_sign<<| |>>
It also exports these certificates back to the requestors.
create_resources('export_signed_cert', $signed_cert_list) # <- this is
the custom fact
define export_signed_cert($cn,$target,$pem_content) {
@@signed_cert { $name: cn => $cn, target => $cn, content =>
$pem_content }
}
Then each agent can import its own certificates.
Signed_cert<<| cn == $fqdn |>>
This is all quite abstract and I'm not sure I've thought everything
through. But this could be a rough design for what you need.
HTH,
Felix
I haven't built this kind of scheme, but yes, Puppet should be able to
do this for you.
You will have to implement
1. A defined type that signs a cert for a given CN.
2. A custom fact that holds all signed certificates in a hash structure
suitable for
3. A defined type that wraps the export of
4. A defined type that installs a certificate from PEM input at the
appropriate location.
Each agent node that needs a cert will *export* the "sign cert" resource.
@@cert_to_sign { "service-x": cn => $fqdn, target =>
'/some/cert/location.pem' }
The CA machine collects all these requests.
Cert_to_sign<<| |>>
It also exports these certificates back to the requestors.
create_resources('export_signed_cert', $signed_cert_list) # <- this is
the custom fact
define export_signed_cert($cn,$target,$pem_content) {
@@signed_cert { $name: cn => $cn, target => $cn, content =>
$pem_content }
}
Then each agent can import its own certificates.
Signed_cert<<| cn == $fqdn |>>
This is all quite abstract and I'm not sure I've thought everything
through. But this could be a rough design for what you need.
HTH,
Felix
Thomas Müller
Jan 7, 2015, 4:12:00 AM1/7/15
to puppet...@googlegroups.com
Am Montag, 5. Januar 2015 02:46:35 UTC+1 schrieb Tom Noonan:
Hello, list:
I'm looking for information/tutorials on using Puppet to generate
SSL certs for a service managed by Puppet, not Puppet itself. What I
would like to do is give Puppet access to internal CA keys and have it
generate and sign certs for services it manages. This will allow me to
use CA certs for trust without the pain of hand managing my CA.
trocla (https://github.com/duritong/trocla, https://forge.puppetlabs.com/duritong/trocla) has the ability to generate certificates and sign them (x509 type). Haven't used it myself.
- Thomas
Reply all
Reply to author
Forward
0 new messages