Puppet's CA with an external issued CA-Certificate

[Florian Sachs]

Hi,

Is it possible, to use puppet's ca with an external issued intermediate CA certificate?

I want puppet to act as normal puppet-CA, but with a CA-Certificate that has been issued by our Central CA.

I am aware, that it is not a valid scenario according to http://docs.puppetlabs.com/puppet/latest/reference/config_ssl_external_ca.html and have read https://groups.google.com/d/msg/puppet-users/ZW0p-UcFfFY/2WR30LBRoZYJ, but I don't want to implement a non-supported setup.

Are there any plans, to support this CA Configuration?

best regards,
florian

[Christoph Fiehe]

This is exactly the use case, I require in my scenario. I must have several Puppet CAs, each acting as intermediate CA that has an individual CA certificate signed by a single root CA. Each intermediate CA signes the certificates of some puppet agents. I have created a small picture to show you how the scenario should look like.The root puppetmaster acts as a bootstrapping node that should set up different nodes as puppetmaster when someone assignes the puppetmaster role to this new node.

Has anybody an idea, if this scenario can be realized with the help of Puppet? The most interesting question is how Puppet behaves when you assign "ca = true" to an agent node and assign "ca_server = <Puppetmaster Root CA>".

[Eric Sorenson]

This is not fully supported yet, but can work with a couple of caveats - the question has come up a few times recently.

Can you please try my draft HOWTO documentation at this gist, and let me know how it works for you? You can reply here or comment on the gist if there are specific lines that you run into trouble with.

https://gist.github.com/ahpook/06d4cfda1d68c08bc82fbfdc40123b28

--eric0

[Christoph Fiehe]

Thanks for your fast response... Your approach sounds very interesting. I will give it a try.

Thank you very much.