On Jul 1, 2010, at 14:14, Bryan Kearney <[email protected]> wrote: > Next questions.. again. my goal is to have puppet work with an external set > of x.509 credentials. > > (1) When puppetmasterd starts up, it creates a CSR for $certname. What is > this certificate used for? I would assume that the CA's cert and keys would > be used in all SSL communication. Is that not correct?
Nope - the CA cert is only ever used for signing certs and CRLs. Each host has a separate cert for actual communication. I can't verify atm, but I think CA cert can't even be used for communication. > (2) If puppetd is being used to manage the same machine as the puppetmaster, > then would they share this same certificate and public/private key? Yep, assuming they're started with the same certname. But they don't have to be. -- Luke Kanies | +1-615-594-8199 -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en.
