Moving from FakeCA to real certs
36 views
Skip to first unread message
Samuel Vange
Jan 13, 2017, 2:11:57 PM1/13/17
to SIMP Users
I have a SIMP 5.2.0 on RHEL system running. We have been developing for a few months and it's time for us to switch from FakeCA to a real certificate authority. To do this I plan to do the following:
1.) Clean out the /etc/puppet/environments/simp/keydist/*/ directories
2.) For each client, populate the /etc/puppet/environments/simp/keydist/FQDN-OF-CLIENT/ directory with the new client certificates
3.) chown, chmod and chcon /etc/puppet/environmetns/simp/keydist/ appropriately (recursively)
4.) Empty out /etc/puppet/environments/simp/keydist/cacerts
5.) Copy new root CA public cert 'rootcacert.pem' into /etc/puppet/environments/simp/keydist/cacerts
6.) ln -s rootcacert.pem `openssl x509 -in $file -hash -noout`.0
Should this work? Any tips or advice? I'd like to do this with as few problems as possible since we have a fair number of clients up and working at this point.
Thank you,
Samuel Vange
Trevor Vaughan
Jan 13, 2017, 2:14:19 PM1/13/17
to Samuel Vange, SIMP Users
Hi Samuel,
This should work. I would *highly* recommend not removing the old CA certs until you're 100% sure that all of your nodes have migrated to the new certs. This will ensure that you maintain your trust chain through the transition.
Thanks,
Trevor
--
You received this message because you are subscribed to the Google Groups "SIMP Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simp-users+unsubscribe@googlegroups.com.
To post to this group, send email to simp-...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/simp-users/d925a9a9-385b-423a-b337-37580297b461%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Trevor Vaughan
Vice President, Onyx Point, Inc
Vice President, Onyx Point, Inc
-- This account not approved for unencrypted proprietary information --
Samuel Vange
Jan 13, 2017, 2:25:20 PM1/13/17
to SIMP Users, samue...@gmail.com
Will leaving any certs already in .../keydist/cacerts alone be sufficient?
BTW, thanks for all of the quick responses. We really appreciate it.
Trevor Vaughan
Jan 13, 2017, 2:52:27 PM1/13/17
to Samuel Vange, SIMP Users
Yes, that will work fine.
To view this discussion on the web visit https://groups.google.com/d/msgid/simp-users/99c7cb7a-bfa2-4f25-877d-55515cde32c2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages