This information describes the supported and tested configurations for external CAs in this version of Puppet. If you have an external CA use case that isn’t listed here, contact Puppet so we can learn more about it.
Supported external CA configurations
This version of Puppet supports some external CA configurations, however not every possible configuration is supported.
If issues arise that are considered bugs, we'll fix them as soon as possible.
If issues arise in any other external CA setup that are considered feature requests, we’ll consider whether to expand our support.
General notes and requirements
PEM encoding of credentials is mandatory
Puppet expects its SSL credentials to be in
Normal Puppet certificate requirements still apply
Any Puppet Server certificate must contain the DNS name, either as the Subject Common Name (CN) or as a Subject Alternative Name (SAN), that agent nodes use to attempt contact with the server.
Option 1: Single CA
When Puppet uses its internal CA, it defaults to a single CA configuration. A single externally issued CA can also be used in a similar manner.
This is an all or nothing configuration rather than a mix-and-match. When using an external CA, the built-in Puppet CA service must be disabled and cannot be used to issue SSL certificates.
Disable the internal CA service.
Ensure that the certname will not change.
Put certificates and keys in place on disk.
- To disable the internal CA, edit the Puppet Server
/etc/puppetlabs/puppetserver/services.d/ca.cfgfile to comment and uncomment the appropriate settings:
# puppetlabs.services.ca.certificate-authority-service/certificate-authority-service puppetlabs.services.ca.certificate-authority-disabled-service/certificate-authority-disabled-service
- Set a static value for the
Setting a static value prevents any confusion if the machine's hostname changes. The value must match the certname you’ll use to issue the server's certificate, and it must not be blank.
[master] certname = puppetserver.example.com
- Put the credentials from your external CA on disk in the correct locations. These locations must match what’s configured in your webserver.conf file. If you haven’t changed those settings, run the following commands to find the default locations.
Credential File location Server SSL certificate
puppet config print hostcert --section master
Server SSL certificate private key
puppet config print hostprivkey --section master
Root CA certificate
puppet config print localcacert --section master
Root certificate revocation list
puppet config print hostcrl --section master
If you’ve put the credentials in the correct locations, you shouldn’t need to change any additional settings.
You don’t need to change any settings. Put the external credentials into the correct filesystem locations. You can run the following commands to find the appropriate locations.
|Agent SSL certificate|
|Agent SSL certificate private key|
|Root CA certificate|
|Root certificate revocation list|
Option 2: Puppet Server functioning as an intermediate CA
Puppet Server can operate as an intermediate CA to an external root CA.
For more information, see Using Puppet Server as an intermediate certificate authority.