Issue #7243 has been updated by Daniel Pittman.
> So some issues. The attributes are on the CSR which is destroyed/deleted > when the certificate is signed. This may or may not be part of a Puppet run. > Hence we need someway to extract and store the attributes from the CSR > somewhere that results in them being added to Puppet. I am unclear how we > could do this – except perhaps to write them to the certificate? I would have expected that additional attributes in the CSR would be transferred to the certificate, unless they were specifically part of the request process. (eg: the cert is basically the CSR, signed.) > An alternative approach might be to be able to retrieve the CSR attributes > using the certificate signing API? That way you could work out if you sign a > certificate based on the value of the attribute returned by the API? This seems cumbersome, and to be much more prone to data drift. (eg: submit a new CSR with security=superdude, get a catalog with the wrong data, because the CSR lookup sees that, and not the certificate signed from the original CSR with security=nobody.) Better, I think, embed the values into the certificate, and allow whatever introspection on that, since that has the signature chain to protect and authenticate it. ---------------------------------------- Feature #7243: Additional data in Puppet CSRs (certdnsnames, and custom data) https://projects.puppetlabs.com/issues/7243 Author: Matt Wise Status: Needs More Information Priority: Normal Assignee: Matt Wise Category: SSL Target version: Telly Affected Puppet version: Keywords: Branch: https://github.com/jamtur01/puppet/tree/tickets/master/7243 Puppet Clients currently do not support filling in 'certdnsnames' in their CSR. That is only done on the signing-server side of things. This should be updated so that either the client, or server can set the certdnsnames (or both). In addition to this, the Puppet CSR generation code should allow for the addition of arbitrary data in the form of keypairs (foo=xyz) that is embedded into the CSR. That data should then be accessible in some way to the Puppet master process itself during catalog compilation. This allows for companies to build in their own security models around the SSL certs. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to puppet-bugs@googlegroups.com. To unsubscribe from this group, send email to puppet-bugs+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.