On Wed, 27 Jan 2010, Scott Smith wrote:
The only annoying part is that if I ever revoke something, I have to
distribute the CRL to my puppetmasters. Oh well.
openssl discusses this in the 'verify' man page
Nothing says a certificate has to be of any particular
duration. A certificate outside of its validity date whould
not be trusted anyway [dunno that the code checks this, but
...]
Why not issue them out just a month, and then let them expire?
If needed again, push a new one with a new expiration date
out. Let the passage of time and a system design handle the
implicit 'no longer trusted' decision, to avoid needing to
maintain a CRL list of more than a couple of entries tops
-- Russ herrold
--
You received this message because you are subscribed to the Google Groups "Puppet
Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.