puppet autosign and mco request_cert

[gustavo...@gmail.com]

Hi,

Is there any security recommendation regarding Puppet certificate autosigning and "mco choria request_cert"? Basically, we have autosign=true for machine puppet agent certs, but we don't want this mechanism for choria client certificates.

Thank you

[Matt Cahill]

Using naive auto-signing is not recommended in a production environment.

https://puppet.com/docs/puppet/6.17/ssl_autosign.html

At a bare minimum set up basic auto-signing with config that matches against your client's reported domain suffix (thus excluding choria certs).

https://puppet.com/docs/puppet/6.17/config_file_autosign.html

Ideally you'd use an auto-signing executable to verify the validity of a signing request before signing it, via pre-shared key, static inventory etc.. That script can be set up to not mark choria certs for auto-signing.

cheers

Matt