This is not fully supported yet, but can work with a couple of caveats - the question has come up a few times recently.
Can you please try my draft HOWTO documentation at this gist, and let me know how it works for you? You can reply here or comment on the gist if there are specific lines that you run into trouble with. https://gist.github.com/ahpook/06d4cfda1d68c08bc82fbfdc40123b28 --eric0 On Thursday, June 23, 2016 at 11:17:37 PM UTC-7, Christoph Fiehe wrote: > > This is exactly the use case, I require in my scenario. I must have > several Puppet CAs, each acting as intermediate CA that has an individual > CA certificate signed by a single root CA. Each intermediate CA signes the > certificates of some puppet agents. I have created a small picture to show > you how the scenario should look like.The root puppetmaster acts as a > bootstrapping node that should set up different nodes as puppetmaster when > someone assignes the puppetmaster role to this new node. > > > > > <https://lh3.googleusercontent.com/-1hk53wsrMOg/V2zCv9VOU5I/AAAAAAAAAAo/1W0hjDgCgxEnm1DkzO55BqWK0Ttlp6OJQCLcB/s1600/Puppet-CAs.png> > > Has anybody an idea, if this scenario can be realized with the help of > Puppet? The most interesting question is how Puppet behaves when you assign > "ca = true" to an agent node and assign "ca_server = <Puppetmaster Root > CA>". > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/d3846c57-7694-4fa7-b1e8-60dbb830f879%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
