Using an External Certificate Authority with Puppet Enterprise
Puppet Enterprise ships with its own certificate authority (CA). For customers whose organizations don't already have a CA in place, that's a big benefit because Puppet Enterprise provides the entire workflow around certificates.
However, many of our large enterprise customers already have their own CA in place, plus the tools and processes to issue certificates. For these customers, a changeover to the Puppet Enterprise CA would cost a lot of time and effort, and could break other processes within the infrastructure.
If you're new to SSL security, installing Puppet Enterprise while keeping your organization's own CA can seem like a task for some kind of super-pro sysadmin ops god. But that's not really the case. All you need to do is settle on a method for generating your new certificates and security credentials (public and private keys), and then follow along with the step-by-step guide in the Puppet Enterprise docs: Using an External Certificate Authority with Puppet Enterprise.
This new doc gives you an overview of all the certs and security credentials generated by Puppet Enterprise and explains exactly where those files are located across the various pieces of your Puppet Enterprise installation. In addition to showing you which directories the new certs and keys go into, we tell you exactly which additional files you need to edit, and point out which services you need to restart to get up and running.
We strongly recommend you use the exact same file names for your new certs and security credentials that Puppet Enterprise uses. Using the same file names will keep you from needing to touch a bunch of extra config files, limiting your chance of creating complications or errors.
We don’t specifically mention it in the doc, but we bet if your CLI-fu is up to snuff, you can probably get this whole thing done in under thirty minutes.
Because seriously: SSL is no big deal. Right?
Isaac Eldridge is a technical writer at Puppet Labs.
- If you’re completely new to SSL, or just need a refresher, check out this complete overview and primer on SSL and related topics.
- In case you haven't seen it yet, here is Puppet Labs' guidance for remediating the OpenSSL vulnerability known as Heartbleed.