Alternative autosign parameter

[alexey....@gmail.com]

Is it possible to configure the automatic signing of certificates in such a way that verification takes place according to a parameter in the config on the client. For example, the client config will contain the line:

autosign=5e8ff9bf55ba3508199d22e984129be6

Thus, if the md5 hash is correct, then the CA will sign the certificate

[Justin Stoller]

I think the thing you're describing is an example of using a CSR Attribute with a policy based autosigner. This is the entry to the docs pages about that: https://puppet.com/docs/puppet/6.17/ssl_attributes_extensions.html.

The tl;dr is that you write a special yaml file to the agent and the agent will include the data in that file in its CSR to the CA. Then you configure the CA to call a script you write to decide if the cert should be signed. Your script can then validate that the CSR contains the correct data attached. 

hth,

Justin

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/825db62a-0163-4b51-b9f5-eac183136ae0n%40googlegroups.com.