Re: [Puppet Users] SSL Cert automation for service

[Felix Frank]

Hi,

I haven't built this kind of scheme, but yes, Puppet should be able to
do this for you.

You will have to implement
1. A defined type that signs a cert for a given CN.
2. A custom fact that holds all signed certificates in a hash structure
suitable for
3. A defined type that wraps the export of
4. A defined type that installs a certificate from PEM input at the
appropriate location.

Each agent node that needs a cert will *export* the "sign cert" resource.

@@cert_to_sign { "service-x": cn => $fqdn, target =>
'/some/cert/location.pem' }

The CA machine collects all these requests.

Cert_to_sign<<| |>>

It also exports these certificates back to the requestors.

create_resources('export_signed_cert', $signed_cert_list) # <- this is
the custom fact

define export_signed_cert($cn,$target,$pem_content) {
@@signed_cert { $name: cn => $cn, target => $cn, content =>
$pem_content }
}

Then each agent can import its own certificates.

Signed_cert<<| cn == $fqdn |>>

This is all quite abstract and I'm not sure I've thought everything
through. But this could be a rough design for what you need.

HTH,
Felix

On 01/03/2015 02:34 AM, Tom Noonan wrote:
> Hello, list:
>I'm looking for information/tutorials on using Puppet to generate
> SSL certs for a service managed by Puppet, not Puppet itself.  What I
> would like to do is give Puppet access to internal CA keys and have it
> generate and sign certs for services it manages.  This will allow me to
> use CA certs for trust without the pain of hand managing my CA.
>I'm hoping someone had trod this path and can provide pointers, as
> this is difficult to Google as I'm not interested in Puppet's internal
> certs.  Thanks.
>
> --Tom Noonan II

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/54AC7279.3080807%40Alumni.TU-Berlin.de.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] SSL Cert automation for service

[Tom Noonan]

Hello, list:
   I'm looking for information/tutorials on using Puppet to generate
SSL certs for a service managed by Puppet, not Puppet itself.  What I
would like to do is give Puppet access to internal CA keys and have it
generate and sign certs for services it manages.  This will allow me to
use CA certs for trust without the pain of hand managing my CA.
   I'm hoping someone had trod this path and can provide pointers, as
this is difficult to Google as I'm not interested in Puppet's internal
certs.  Thanks.

--Tom Noonan II

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20150102193428.1796f2b6%40vncBox.tjnii.com.
For more options, visit https://groups.google.com/d/optout.