Keymaster replacement / Puppet CA Certificate Management

[barry haycock]

I have been tasked to upgrade a Puppet 3.x to Puppet 6.x, this will no no mean feat as the current environment covers over 600 nodes.

One of the items that will cause problems is that the old system heavily uses the old module Aethylred/keymaster, to manage x509 keypairs from the local Puppet CA. This module is know no longer supported and will not work without an extensive rewrite with the new Puppet CA architecture. That is a path I didn't want to go down.

What I was wondering, and I haven't been able to find a replacement are there similar options open to me in using certificates issued from the local Puppet CA?
I have written a module for another puppet environment that manages certificates from the corporate CA, once they are issued, are then stored in hiera. It is looking like, I may have to use that module and manually request Puppet CA keypairs, and place them into the appropriate hiera file, and allow Puppet and Java_ks manage them from there and apply monitoring on the certs to warn of expiry.

Are there any options for using the Puppet CA to issue/manage keypairs programmatically?

Barry

[barry haycock]

I have worked out a way forward, implement hashicorp vault as a CA and using puppet issue certificates from the vault CA.
this CA could replace the puppet CA or just be a stand alone CA and as long as I distribute the CA Cert to all boxes on the system
we will have trust.