All About SSL
Let's talk about SSL! (This isn't another Heartbleed post, promise.)
When I joined Puppet Labs in 2010, I had never used Puppet before and was at (maybe) a junior sysadmin level of general computer savvy. So I had to hustle a bit to catch up. Which was actually a good thing, since my job was to explain Puppet to new users like me! Confusion was a valuable tool: If something left me scratching my head, it definitely needed more attention in our documentation.
One of the biggest stumbling blocks I hit was Puppet's use of SSL. I wasn't clear on the difference between a key, a CSR (certificate signing request), and a certificate; once I had that down, the difference between the puppet master and the CA (certificate authority) started causing me problems. For years, something new would always pop up whenever I thought I had SSL handled. (A more recent baffler: How does a puppet master get access to an agent certificate if it's hosted by a Rack server?)
Why did this all take so long to learn? I have a guess. I think advanced Puppet users have to interact with SSL in an unusually broad fashion, and nobody else has a good reason to write the kind of introductory material we need. Someone who runs a public CA or develops crypto software needs to know nearly everything, down to the cypher math; they need to read all the specs, and can't really take any shortcuts. Someone who uses HTTPS for their public website needs to know how to get a certificate and configure their server, but that's about it — they don't usually have to think about how the whole system works.
Now consider the Puppet user: Unlike a crypto dev, they have good defaults and some helpful tools to do the heavy lifting, so they can get away with a lot of shortcuts. But they're still running a CA, so they have to think about the entire system in a way most HTTPS customers don't.
As a new user, I needed a systematic introduction to SSL that didn't drive out into the mathematical weeds at the first opportunity. And I couldn’t find one.
So this year, I wrote one! We recently published it on our docs website, and you can read it today:
- Part 1: What is Public Key Cryptography?
- Part 2: What are Certificates and PKI?
- Part 3: What is TLS/SSL?
- Part 4: What is HTTPS?
- Appendix: Anatomy of a Certificate
If you’re a new Puppet user, give it a try; we hope it saves you as much time as it would have saved me.
Nick Fagerlund is a technical writer at Puppet Labs.
- Just in case you haven’t seen it yet, here’s our guide to remediating the OpenSSL vulnerability known as Heartbleed.