Re: [Puppet Users] Pre-generated certificates?

[Martin Alfke]

I can only think of pre-generating certificates when using an external CA and 
not using an intermediate CA on the Puppet master


> On 2. Apr 2018, at 21:52, Eric Sorenson  wrote:
> 
> Yeah, it's a bit of an outlier workflow but I figured I'd ask. The deafening 
> silence indicates it's probably not a use-case we need to treat specially.
> 
> --eric0
> 
> On Sat, Mar 31, 2018 at 12:23 PM, Michael Watters  wrote:
> I've done this for a few nodes but I'm not sure how this would be an 
> improvement over just enabling autosign.  Private keys should remain private 
> to a node and should never be transmitted over the network if possible.
> 
> On Wednesday, March 28, 2018 at 3:10:35 PM UTC-4, Eric Sorenson wrote:
> Is anybody out there pre-generating certificates for your agents? I've heard 
> whispered tales of some folks doing this but we're starting work on improving 
> the CA / signing / revocation workflow and it'd be great to talk to somebody 
> directly. The workflow would be using 'puppet cert generate' on the master/CA 
> then distributing both the private key and the resulting certificate in some 
> secure, out-of-band mechanism (cloud-init?) to the nodes, so the agent finds 
> the CA cert as well as its own key/cert pair ready and waiting when it starts 
> up, bypassing the CSR generation/submission completely.
> 
> --eric0
> 
> -- 
> You received this message because you are subscribed to a topic in the Google 
> Groups "Puppet Users" group.
> To unsubscribe from this topic, visit 
> https://groups.google.com/d/topic/puppet-users/rmC7RsQEUwU/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to 
> puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/puppet-users/7a75eaf6-b71a-4b34-9b76-fe6dbf6f96fd%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
> 
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/puppet-users/CANDjyOucHVejmfGR7%3D6MXNxrZRvkJOHq%2BiThm7LOAMG%2BU%3Dqg8w%40mail.gmail.com.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/B60014D0-3C81-4C42-BD64-E6263EF03F47%40gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Pre-generated certificates?

[Eric Sorenson]

Is anybody out there pre-generating certificates for your agents? I've 
heard whispered tales of some folks doing this but we're starting work on 
improving the CA / signing / revocation workflow and it'd be great to talk 
to somebody directly. The workflow would be using 'puppet cert generate' on 
the master/CA then distributing both the private key and the resulting 
certificate in some secure, out-of-band mechanism (cloud-init?) to the 
nodes, so the agent finds the CA cert as well as its own key/cert pair 
ready and waiting when it starts up, bypassing the CSR 
generation/submission completely.

--eric0

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/09846c69-cc85-4cfc-a4ed-f19d24b34776%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.