Guidance regarding use of an external CA with Puppet

Puppet supports the use of an intermediate certificate authority issued by an existing PKI today purely as a convenience. The accommodation is meant to support those customers who have existing CAs, the ability to issue an intermediate certificate authority from them, and who may be administratively advantaged by doing so. Such an advantage would only be a procedural or policy benefit; there is no technical advantage or security benefit to Puppet linking back to an organization's central X.509 CA.

In point of fact, linking Puppet’s PKI to an organization’s central CA may be a lower security stance than leaving Puppet’s internal PKI fully self-contained. A Puppet agent or server certificate with a link back to a central CA has a small but non-zero potential to become part of an attack on poorly configured 3rd party SSL clients configured to trust the central root. If Puppet’s PKI is instead fully isolated and not trusted by any 3rd party systems, even this remote possibility of exploitation is eliminated.

Whatever certificate authority (or intermediate certificate authority) Puppet uses, that certificate authority SHOULD NOT be trusted by any systems or persons outside of the Puppet server-to-agent trust relationship(s). In the event that using an intermediate certificate authority issued by a central root does not provide a specific administrative or maintenance benefit to a customer (typically it does not), Puppet's guidance is to NOT link Puppet's PKI with a central certificate authority, and to use Puppet’s internal, isolated PKI instead.