> But I have need for a CA for other purposes anyway, so I've been, for the > last year (on and off), looking into Hashicorps Vault. >
Are you hard-set on using Vault? I use FreeIPA <https://www.freeipa.org/page/Main_Page>, which includes PKI management (via Dogtag <http://pki.fedoraproject.org/wiki/PKI_Main_Page>), and can be used as the CA for puppet and also issue the per-node certs. Technically, Foreman <https://theforeman.org/introduction.html> is doing the work for me -- I use it to manage RHEL/CentOS node provisioning, and the FreeIPA realm enrollment and node certificate creation/deployment happen automagically, along with a puppet agent run to configure the node, at provision time. For network devices or other operating systems I'm not yet managing w/ Foreman, I manually create the host record in FreeIPA and then manually create/fetch the cert/key pair. This stack of tools is not lightweight, and takes some time to get functional, but it's worth the effort. I've used this stack for a few years now, with h/a pairs of both Freeipa and Puppet servers spread across multiple datacenters, and have not had any major issues. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/EB1DEBCE-FB4A-4BA7-ADA5-B3817B4C284B%40distortion.io. For more options, visit https://groups.google.com/d/optout.
