canmove, Confirmed users
1,394
edits
ReleaseEngineering/PuppetAgain/Certificate Chaining: Difference between revisions
Jump to navigation
Jump to search
ReleaseEngineering/PuppetAgain/Certificate Chaining (view source)
Revision as of 23:12, 12 May 2013
, 12 May 2013→Base CA
No edit summary |
|||
| Line 179: | Line 179: | ||
NOTE: be careful to distinguish the puppetmaster's CA certificate from its leaf certificate, particularly in the Apache configurations. | NOTE: be careful to distinguish the puppetmaster's CA certificate from its leaf certificate, particularly in the Apache configurations. | ||
== | == Root CA == | ||
The | The root CA has a simple self-signed certificate. This is the keys to the kingdom, so be careful with it. Put it on a well-protected system, isolated from your puppet environment, and protect the passphrase carefully. | ||
You should also understand the difference between a certificate, a key, and a CRL. There are plenty of good summaries out there on the 'net. | |||
Put the following in ''openssl.conf'': | |||
<pre> | <pre> | ||
[ca] | [ca] | ||
| Line 210: | Line 214: | ||
keyUsage = keyCertSign, cRLSign | keyUsage = keyCertSign, cRLSign | ||
</pre> | </pre> | ||
then touch inventory.txt and echo 0001 > serial. | |||
Set up a new self-signed CA cert with: | |||
openssl req -new -newkey rsa -days 3650 -x509 -subj "/CN=PuppetAgain Base CA, OU=Release Engineering, O=Mozilla, Inc." -keyout puppetagain-base-ca.key -out puppetagain-base-ca.crt | |||
adjusting the subject appropriately for your environment. The subject doesn't particularly matter, but using the above will risk it being confused with moco's certificate. | |||
Generate a CRL with | |||
openssl ca -config openssl.conf -gencrl -out puppetagain-base-ca.crl | |||
You now have a *.key (private key - keep this secret!), *.crt (certificate), and *.crl (CRL) file for your root CA. | |||
Note that the file contents are short blobs encoded in a text format. You can easily copy-and-paste them, if -- as is wise -- your CA host is strictly isolated from your production systems. | |||
== Making a New Puppetmaster CA Certificate == | == Making a New Puppetmaster CA Certificate == | ||