Dear Felix, On Wednesday, February 20, 2013 9:58:45 AM UTC, Felix.Frank wrote: > > Hi, > > I think I understood your goal well enough, and it's sound in and of > itself, but I believe you have some misconceptions on how to implement > this. > > First off, so we're on the same page: The CA is your root certificate. > It's a self signed certificate shared by all masters. Only the masters > have its private key. They use it to sign all other puppet related > certificates. >
Correct. > > A client certificate is generated by a master based on the CA and a > certificate signing request from the agent. It's necessary to either > a) have the CSR generated agent side, so the agent has the private key > generated itself or > b) do all the generating master side and implement a secure way to push > the agent's private key to the agent > The b) is the goal here, correct. > > Let's cut right to the bottom line: You do *not* want to create new CAs, > ever. You make a CA, make sure its private key is well protected, and > stick with that. If you need deploy aditional masters at various times, > you need a process that will supply them with the CA and its key. > Incorrect. You *do* want to create new CA's. What about different puppetmasters pools? Imagine you and me, we both want a puppetmasters setup with LB's in front of them, for our own machines, and we'd rather want to have different CA's for our puppetmasters. > > I'm not sure wether you can separate the puppet master from the puppet > ca network-wise, but if it's possible, it would be infinitely simpler to > stick to a monolithic ca server and do only the other agent/master > interaction through loadbalancing. > Dont worry about the details of separation network wise or any other. All I want to do, is to generate complete CA and client certs programatically, using openssl lib - how they're going to be deployed on puppetmasters and puppet clients is out of scope here - it can be via rsync, it can be by embedding CA's into vm images per client base, it can be done in many different ways. A monolithic CA server is out of question, as it becomes a spof. > > I believe that your core problem at the moment is private key > management, but that's only a guess. > Incorrect, the problem is to emulate puppet ca/cert behavior using openssl command (and then by openssl lib). > > On 02/19/2013 09:15 PM, spankt...@gmail.com <javascript:> wrote: > > Dear Felix, > > > > I think you're getting it wrong, let me clarify it a bit. The goal of > > this is to be able to write web interface for generating puppetmasters > > CA's and client certificates on demand. An example: install 3 > > puppetmasters with loadbalancer in front. Use web interface to generate > > CA and certificates for chosen clients (lets say, 10 machines). Deploy > > such generated CA's on puppetmasters, and relevant bits on puppet > > clients to authorize them against these puppetmasters. Whenever there's > > need for change, use that CA via web interface to add and delete client > > certificates, redeploy them on puppetmasters and so on. This, while > > doable via Subprocess functions (Python is the language of choice for > > me, but that doesnt really matters) and calls to relevant puppet system > > commands is extremely ugly and not flexible solution. I would love to do > > it via openssl library, but to do so, I'd need to have a workable way to > > build CA's and sign (and revoke) client certs via openssl command - so > > far I cant reach that goal. I hope this makes more sense now. > > > > Regards, > > S. > > > > On Tuesday, February 19, 2013 4:04:32 PM UTC, Felix.Frank wrote: > > > > On 02/16/2013 12:20 PM, spankt...@gmail.com <javascript:> wrote: > > > after creating CA and client cert and applying them to > > puppetmaster, it > > > complains with: > > > > Wait, what? You create a new CA, even after agents have already been > > certified, then create new agent certificates? > > > > If your CA changes, you will have to terminate all the (now > deprecated) > > agent certificates and sign new certificates for all agents. > > > > Basically, I would expect the outcome you are observing, and you > should > > just follow the instructions given in your log excerpt. Note that > you > > are *not* supposed to remove the CA from the master, only the copy > of > > the agent's certificate. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
