Ask Your Question

certificate generation

asked 2014-10-30 03:54:39 -0600

bantubanerji gravatar image

If I generate a certificate in master for one client using "puppet cert generate <host_name>" command and want to add my newly installed client system in my puppetized environment, what I am supposed to do?
1. Whcih files, after executing the above command, I need to copy to my puppet client machine and in which directories?
2. Do I need to do some other steps?

Please note, I am using RHEL 6.5 Certificates and related files are getting created in /var/lib/puppet/ssl directory. [root@master ~]# puppet config print ssldir --section master /var/lib/puppet/ssl [root@master ~]#

My main objective is to add to newly kickstarted machine in puppet environment, I may probably add scripts under %post section in my kickstart file.

I am a new puppet user, please help.

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2014-10-30 12:33:19 -0600

cbarbour gravatar image

I would advise against pre-generating certificates on the CA. Instead, simply install Puppet on your newly kickstarted machine, and configure the agent to connect to the Puppet Master.

The agent will automatically generate a CSR, and will upload it to the master as part of it's initial run. When you sign the certificate on the CA, the agent will automatically retrieve the signed cert on it's next run.

This approach is much safer than generating certificates on the CA, since it doesn't require copying private keys over the network.

To answer your question though... Your client will need:

  • The private key
  • The public key
  • The signed certificate
edit flag offensive delete link more


Thank you very much for the advice. Can you please also guide me, where exactly the advised keys and certificate are getting created in Master ? And if I copy them to client, what should be the destination directories (in client) and the file names? I do not want to autosign the client

bantubanerji gravatar imagebantubanerji ( 2014-11-03 16:26:22 -0600 )edit

Again, I recommend generating the certificates on the client. Use the normal puppet CSR process. This isn't the same as autosign; you still need to sign the cert on the master using the puppet cert command. This simply automates the process of copying keys. It's also safer than what you're asking.

cbarbour gravatar imagecbarbour ( 2014-11-03 16:55:32 -0600 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2014-10-30 03:54:39 -0600

Seen: 67 times

Last updated: Oct 30 '14