The built-in Puppet
certificate authority automatically generates a root and intermediate certificate, but you can
set up an independent intermediate certificate authority during installation if you need
additional intermediate certificates, or if you prefer to use a public authority CA.
Before you begin
You must have a CA chain, a CRL chain, and a private key. Certificate
chains must be ordered from least to most authoritative, with the cert for the CA that
you intend to use positioned first in the chain files.
-
Copy your CA chain, CRL chain, and private key to the
node where you're installing the master.
Tip: Allow access to your private key only from
the PE installation process, which runs as
root.
-
Follow the instructions to install PE in text mode, adding the
signing_ca
parameter to pe.conf
.
You must include all three key/value pairs for the
signing_ca
parameter:
bundle
,
crl_chain
, and
private_key
.
{
"pe_install::signing_ca": {
"bundle": "/root/ca/int_ca_bundle"
"crl_chain": "/root/ca/int_crl_chain"
"private_key": "/root/ca/int_key"
}
}
-
Validate that the CA is working
using the standard openssl tools installed with PE.
openssl x509 -in /etc/puppetlabs/puppet/ssl/ca/signed/<HOSTNAME>.crt
-text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=intermediate-ca
...