ReleaseEngineering/PuppetAgain/Certificate Chaining: Difference between revisions

← Older edit

ReleaseEngineering/PuppetAgain/Certificate Chaining (view source)

Revision as of 12:59, 13 May 2013

1,433 bytes added , 13 May 2013

→‎Certificate Hierarchy

Djmitche

canmove, Confirmed users

1,394

edits

@@ Line 36: / Line 36: @@
          .
-Note Master and Agent certs are functionally identical.  The "OU=PuppetMasters" is important so that each puppetmaster can have a master and agent cert with the same fqdn.
+Notes:
+* Here and throughout these docs, the terms "root" and "base" CA are used interchangeably.  "Root" is preferred.
+* Master and Agent certs are nearly identical, except that one has an EKU allowing use as SSL clients, and the other only allows SSL server.  The "OU=PuppetMasters" is important so that each puppetmaster can have a master and agent cert with the same fqdn, but the certificate subjects are different.
 = Master Initialization =
@@ Line 228: / Line 230: @@
 == Making a New Puppetmaster CA Certificate ==
-$fqdn is the fqdn of the puppet master here.  First, put a nice long password in ${fqdn}-ca.password.  You'll never need to type it or even see it again.
+You should already know what a key, certificate, CRL, and CSR are.
+The idea here is to make a CA certificate (one that can sign other certificates) that is signed by the root CA.
+The following commands will make a new key (master.key) and a corresponding CSR.  Note that the instructions you get from puppet when you're setting this up will contain explicit paths, so it will be easier to copy/paste there.
+    openssl genrsa -out ${master_ca_key} 2048
+    openssl req -new -subj "/CN=CA on ${fqdn}" -key ${master_ca_key} -out master-ca.csr
+    openssl req -text -in master-ca.csr
+Check that the CSR has the expected fields (check the dates, etc.), then copy/paste it into a temporary file (say, master.csr) on the host where your root CA is set up.  There, run
+    openssl ca -config openssl.conf -in master.csr
+This is using the root CA to sign the master CA's certificate.  Check that the CSR values match what you specified above, and answer the prompts.  You'll end up with a new certificate, which you can copy and paste back onto the puppetmaster (the puppet message will tell you where to put it).
+=== Puppetmaster CA Setup ===
+You don't need to know this if you're using PuppetAgain, because the setup scripts do it for you (and slightly differently), but for those wondering how Certificate Chaining works in general:
 <pre>
 $ openssl genrsa -des3 -out ${fqdn}-ca.key -passout file:${fqdn}-ca.password 2048