On 02/20/2013 11:37 AM, spankthes...@gmail.com wrote: > Incorrect. You *do* want to create new CA's. What about different > puppetmasters pools? Imagine you and me, we both want a puppetmasters > setup with LB's in front of them, for our own machines, and we'd rather > want to have different CA's for our puppetmasters.
Well, so you'd want *your* agents to receive catalogs from *my* puppet masters? That's a whole different problem altogether. Each agent node will need to run several agents, each with their own view of what the CA and the master certificate is. They could share the agent's private key, but that would actually add complexity. Basically, you probably want separate /var/lib/puppet instances on the agents for each "master pool". > it can be via rsync Oh, please don't. > monolithic CA server is out of question, as it becomes a spof. Not really, the ca service should not see much use during day-to-day operation, but again, I may be wrong about this. > Incorrect, the problem is to emulate puppet ca/cert behavior using > openssl command (and then by openssl lib). Ah, only you aren't. The puppet ca service works under the premise that the client simply generates a CSR for itself and forwards that to the puppet ca service. Have you had any success signing the certificate using openssl, when the CSR originates with the agent (so, as a start, you do step 2 your way?) Once you have that working, all that's left to do is doing the CSR generation using openssl, which shouldn't be that hard, either. What's hard is not doing it on the agent node. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.