SSL and certificates
Network communications and security in Puppet Enterprise are based on HTTPS, which secures traffic using X.509 certificates. PE includes its own CA tools, which you can use to regenerate certs as needed.
-
Regenerate the console certificate
The console certificate expires every 824 days. Regenerate the console certificate when it is nearing or past expiration, or if the certificate is corrupted and you're unable to access the console. -
Regenerate the SAML certificate
By default, the SAML certificate expires every 824 days. Regenerate the certificate when it is nearing or past expiration. -
Regenerate infrastructure certificates
Regenerating certificates and security credentials—both private and public keys—created by the built-in PE certificate authority can help ensure the security of your installation in certain cases. -
Use an independent intermediate certificate authority
The built-in Puppet certificate authority automatically generates a root and intermediate certificate, but if you need additional intermediate certificates or prefer to use a public authority CA, you can set up an independent intermediate certificate authority. You must complete this configuration during installation. -
Use a custom SSL certificate for the console
The Puppet Enterprise (PE) console uses a certificate signed by PE's built-in certificate authority (CA). Because this CA is specific to PE, web browsers don't know it or trust it, and you have to add a security exception in order to access the console. If you find that this is not an acceptable scenario, you can use a custom CA to create the console's certificate. -
Generate a custom Diffie-Hellman parameter file
The "Logjam Attack" (CVE-2015-4000) exposed several weaknesses in the Diffie-Hellman (DH) key exchange. To help mitigate the "Logjam Attack," PE ships with a pre-generated 2048 bit Diffie-Hellman param file. In the case that you don't want to use the default DH param file, you can generate your own. -
Enable TLSv1
To comply with security regulations, TLSv1 and TLSv1.1 are disabled by default.