canmove, Confirmed users
1,394
edits
ReleaseEngineering/PuppetAgain/Certificate Chaining: Difference between revisions
Jump to navigation
Jump to search
ReleaseEngineering/PuppetAgain/Certificate Chaining (view source)
Revision as of 23:22, 12 May 2013
, 12 May 2013→Making a New Puppetmaster CA Certificate
| Line 228: | Line 228: | ||
== Making a New Puppetmaster CA Certificate == | == Making a New Puppetmaster CA Certificate == | ||
You should already know what a key, certificate, CRL, and CSR are. | |||
The idea here is to make a CA certificate (one that can sign other certificates) that is signed by the root CA. | |||
The following commands will make a new key (master.key) and a corresponding CSR. Note that the instructions you get from puppet when you're setting this up will contain explicit paths, so it will be easier to copy/paste there. | |||
openssl genrsa -out ${master_ca_key} 2048 | |||
openssl req -new -subj "/CN=CA on ${fqdn}" -key ${master_ca_key} -out master-ca.csr | |||
openssl req -text -in master-ca.csr | |||
Check that the CSR has the expected fields (check the dates, etc.), then copy/paste it into a temporary file (say, master.csr) on the host where your root CA is set up. There, run | |||
openssl ca -config openssl.conf -in master.csr | |||
This is using the root CA to sign the master CA's certificate. Check that the CSR values match what you specified above, and answer the prompts. You'll end up with a new certificate, which you can copy and paste back onto the puppetmaster (the puppet message will tell you where to put it). | |||
=== Puppetmaster CA Setup === | |||
You don't need to know this if you're using PuppetAgain, because the setup scripts do it for you (and slightly differently), but for those wondering how Certificate Chaining works in general: | |||
<pre> | <pre> | ||
$ openssl genrsa -des3 -out ${fqdn}-ca.key -passout file:${fqdn}-ca.password 2048 | $ openssl genrsa -des3 -out ${fqdn}-ca.key -passout file:${fqdn}-ca.password 2048 | ||