Using pregenerated certs with puppet

07 August 2006

In a previous post, I mentioned that puppetca can be used to pregenerate certificates for puppet clients. Pregenerated certificates can be used very effectively to avoid transferring the client certificate in the clear over a network, for example, by storing them on a USB key, and carrying them by hand from the puppetmaster to the client - of course, this can be easily adapted to any other form of secure out-of-band communication between client and puppetmaster.

The file puppetca.config has the settings necessary to generate keys using the existing puppetmaster’s CA onto a USB key. Simply mount the USB key on the puppetmaster at /media/disk and run

puppetca --config=puppetca.config -g HOSTNAME

to create a signed certificate for the client HOSTNAME.

Walk slowly to the client, and mount the USB stick, again at /media/disk, and run the following manifest with puppet: %% class puppet-certs { $ssldir = “/var/lib/puppet/ssl” $fqdn = “$hostname.$domain” $src = “/media/disk/puppet” file { “$ssldir/private_keys/$fqdn.pem”: source => “$src/private_keys/$fqdn.pem”, owner => root, group => root, mode => 0400 } file { “$ssldir/public_keys/$fqdn.pem”: ensure => absent } file { “$ssldir/certs/$fqdn.pem”: source => “$src/certs/$fqdn.pem”, owner => root, group => root, mode => 0640 } file { “$ssldir/certs/ca.pem”: source => “$src/certs/ca.pem”, owner => root, group => root, mode => 0640 } }

include puppet-certs %%

This manifest puts the certificate of the CA, the signed client certificate, and the private key for the signed client certificate in the proper places. Once you have verified that the client can communicate with the puppetmaster without any problems, make sure you delete the files from the USB key, in particular the client’s private key. The easiest way to do that is to run %% puppetca –config puppetca.config -c HOSTNAME %% with the USB key mounted on the puppetmaster.

Creative Commons License Watzmann.Blog by David Lutterkort is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.

Generated with Jekyll