It is only valid on a Puppet master server; in Puppet apply, the compiler doesn’t add certificate extensions to
More about certificate extensions
When a node requests a certificate, it can ask the CA to include some additional, permanent metadata in that cert. (Puppet agent uses the
csr_attributes.yaml file to decide what extensions to request.)
If the CA signs a certificate with extensions included, those extensions are available as trusted facts in the top-scope
$trusted variable. Your manifests or node classifier can then use those trusted facts to decide which nodes can receive which configurations.
By default, the Puppet-specific registered OIDs appear as keys with convenient short names in the
$trusted[extensions] hash, and any other OIDs appear as raw numerical IDs. You can use the
custom_trusted_oid_mapping.yaml file to map other OIDs to short names, which will replace the numerical OIDs in
For more info, see:
Limitations of OID mapping
Mapping OIDs in this file only affects the keys in the
$trusted[extensions] hash. It does not affect:
- What an agent can request in its
csr_attributes.yamlfile — anything but Puppet-specific registered extensions must still be numerical OIDs.
- What you see when you run
puppet cert print— mapped extensions will still be displayed as numerical OIDs. (Improving cert display is planned as PUP-4617.)
The OID mapping file is located at
$confdir/custom_trusted_oid_mapping.yaml by default. Its location is configurable with the
The location of the
confdir depends on your OS. See the confdir documentation for details.
--- oid_mapping: 188.8.131.52.4.1.343184.108.40.206.1: shortname: 'myshortname' longname: 'My Long Name' 220.127.116.11.4.1.34318.104.22.168.2: shortname: 'myothershortname' longname: 'My Other Long Name'
custom_trusted_oid_mapping.yaml must be a YAML hash containing a single key called
The value of the
oid_mapping key must be a hash whose keys are numerical OIDs. The value for each OID must be a hash with two keys:
shortnamefor the one-word name that will be used in the
longnamefor a more descriptive name (not currently used for anything).