csr_attributes.yaml file defines custom data for new certificate signing requests (CSRs). It can set:
This file is only consulted when a new CSR is created (e.g. when an agent node is first attempting to join a Puppet deployment). It cannot modify existing certificates.
Note: For details on how to use this file, see the documentation for CSR attributes and certificate extensions.
csr_attributes.yaml file is located at
$confdir/csr_attributes.yaml by default. Its location is configurable with the
The location of the
confdir varies; it depends on the OS, Puppet distribution, and user account. See the confdir documentation for details.
--- custom_attributes: 1.2.840.113522.214.171.124: 342thbjkt82094y0uthhor289jnqthpc2290 extension_requests: pp_uuid: ED803750-E3C7-44F5-BB08-41A04433FE2E pp_image_name: my_ami_image pp_preshared_key: 342thbjkt82094y0uthhor289jnqthpc2290
csr_attributes file must be a YAML hash containing one or both of the following keys:
The value of each key must also be a hash, where:
pp_uuidis a short name for a Puppet-specific OID.)
Custom attributes can use any public or site-specific OID, with the exception of the OIDs used for core X.509 functionality. This means you can’t re-use existing OIDs for things like subject alternative names.
One useful OID is the “challengePassword” attribute —
1.2.840.1135126.96.36.199. This is a rarely-used corner of X.509 which can easily be repurposed to hold a pre-shared key. The benefit of using this instead of an arbitrary OID is that it will appear by name when using OpenSSL to dump the CSR to text; OIDs that
openssl req can’t recognize will be displayed as numerical strings.
Also note that the Puppet-specific OIDs listed below can also be used in CSR attributes.
Extension request OIDs must be under the “ppRegCertExt” (
188.8.131.52.4.1.34380.1.1) or “ppPrivCertExt” (
184.108.40.206.4.1.34380.1.2) OID arcs.
Puppet Labs provides several registered OIDs (under “ppRegCertExt”) for the most common kinds of extension information, as well as a private OID range (“ppPrivCertExt”) for site-specific extension information. The benefits of using the registered OIDs are:
csr_attributes.yamlusing their short names instead of their numeric IDs.
The private range is available for any information you want to embed into a certificate that isn’t already in wide use elsewhere. It is completely unregulated, and its contents are expected to be different in every Puppet deployment.
The “ppRegCertExt” OID range contains the following OIDs:
|Numeric ID||Short Name||Descriptive Name|
||Puppet Node UUID|
||Puppet Node Instance ID|
||Puppet Node Image Name|
||Puppet Node Preshared Key|