New CA CLI tools in Puppet Platform 5.5.5

[Maggie Dreyer]

Hello Puppet users!

In the 5.5.5 release of the Puppet Platform, we released a new experimental command line tool for interacting with the Puppet CA.

puppetserver ca <command>

This tool uses Puppet Server's puppet-ca API to accomplish common CA tasks like signing and revoking certificates, instead of the legacy Ruby code in Puppet. See the Puppet Server 5.3.5 release notes for details on configuring your server to allow access to the relevant API endpoints.

This is a preview for Platform 6, when the tool will replace the existing `puppet cert` command and associated CA-related faces (certificate, ca, certificate_request, and certificate_revocation_list). Although in Puppet 5 all these commands will continue to work, we encourage you to try out the new command and give us feedback! Since the new tool is packaged as a gem alongside puppetserver, it is possible to download new updates as they are released using:

/opt/puppetlabs/puppet/bin/gem update puppetserver-ca

In addition to the existing major features of `puppet cert`, the new tool also provides a command for generating a chained CA for puppet, with a self-signed root cert and an intermediate CA signing cert. It also provides a command for importing an existing root and intermediate cert, for users who wish to have Puppet's CA link back to their existing roots. These tools allow for easy setup of an intermediate CA, but please note that all the current caveats for using an intermediate CA setup in Puppet 5 still apply. For details, see https://puppet.com/docs/puppetserver/5.3/intermediate_ca_configuration.html.

For full intermediate CA support, with no manual file manipulation and full CRL checking, please try our Puppet 6 nightly builds (http://nightlies.puppet.com/yum/puppet6-nightly/ or http://nightlies.puppet.com/apt/puppet6-nightly/)! The release of Puppet 6 is scheduled for this fall.

Please tell us what you think, and let us know if you have any questions!

The Server Team

[Justin Stoller]

Thanks for feedback, Gabriel!

On Fri, Aug 24, 2018 at 5:49 AM Gabriel Filion <gab...@lelutin.ca> wrote:

Hi there,

On 2018-08-23 2:35 p.m., Maggie Dreyer wrote:
> In the 5.5.5 release of the Puppet Platform, we released a new experimental
> command line tool for interacting with the Puppet CA.
>
> puppetserver ca <command>
>
> This tool uses Puppet Server's puppet-ca API to accomplish common CA tasks
> like signing and revoking certificates, instead of the legacy Ruby code in
> Puppet.

I'm curious here since I'm not following the latest releases very
closely: was there a necessary change to the command-line user interface
or could it have been possible to "change all of the plumbing" without
touching the "porcelain on top"?

if no interface change was necessary then the whole "puppetserver cert"
subcommand could have been replaced with the new code. it would have
removed yet another config+interface change necessity for users.

The deprecation and removal of the "face based" subcommands was necessary. These are the subcommands "puppet ca", "puppet certificate", "puppet certificate_request", and "puppet certificate_revocation_list".

That only leaves "puppet cert", and all of the plumbing for the command had to change. We also believe its porcelain is fundamentally confusing, mixing actions that should only be taken on a CA with actions that can or should be taken on an agent. So we made the choice to split the actions that the "puppet cert" subcommand provides between a dedicated CA tool that ships with Puppet Server (puppetserver ca) and a dedicated agent tool that ships with Puppet Agent (incoming work on "puppet ssl").

Our hope is to simplify the mental model that users need to understand which features work where in a deployment. We also hope for these to be relatively simple translations. So if you called, "puppet cert sign --all" in Puppet 5, in Puppet 6 you call "puppetserver ca sign --all" now.

We want to cause as little turbulence for our existing users as possible and are striving to make any upgrade work easily scriptable. But we also know that many new (and existing) users have difficulty understanding our current certificate workflows and that that difficulty impedes many from following best practices. Ultimately our goal is help users, existing and new, to get to those best practices as quickly and easily as possible.

Regards,

Justin

> In addition to the existing major features of `puppet cert`, the new tool
> also provides a command for generating a chained CA for puppet, with a
> self-signed root cert and an intermediate CA signing cert. It also provides
> a command for importing an existing root and intermediate cert, for users
> who wish to have Puppet's CA link back to their existing roots.

hey this is nice. it used to be that advanced management of certificates
and CA was reserved to the x509 wizards!

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/28df81aa-6375-9647-dbbe-52e104923c0d%40lelutin.ca.
For more options, visit https://groups.google.com/d/optout.