| First question, what version of puppet/puppetserver are you asking about? Because the whole workflow around this is very different in Puppet 5 vs. in Puppet 6, with the most notable thing being that puppet cert clean already does not work in an intermediate scenario on our master branches (heading for Puppet 6) where full CRL checking is possible (it doesn't respect the CRL chain and overwrites both CRLs when it updates the file). In Puppet 6, we are removing puppet cert clean in favor of an analogous command under the puppetserver ca CLI, which uses the certificate_status API to revoke certs and correctly respects chained CRLs. It is also currently possible to use the API directly for the same result (though this won't clean up the files on disk). In Puppet 5, we only provide leaf-checking of CRL chains. This means that even if you update the CRL from your root CA, Puppet will ignore it. Seems you would only "lose" the revocations if you're overwriting the Intermediate CA's chain completely, leaving only the root's CRL in the file, which probably doesn't work regardless unless you have CRL checking disabled (in which case why are you updating the CRL in the first place?). If I'm misunderstanding something, please let me know, but it seems like if someone with and external root CA wants to update their root's CRL in the chain, it is up to them to merge them properly, i.e. by only replacing the second cert in the file and leaving the first one belonging to the intermediate CA the same. |
