ca.conf

The ca.conf file configures settings for the Puppet Server Certificate Authority (CA) service. For an overview, see Puppet Server Configuration.

Deprecation Note: The authorization-required and client-allowlist settings are deprecated as of Puppet Server 2.2 in favor of authorization that is configured in the new auth.conf file.

Signing settings

The allow-subject-alt-names setting in the certificate-authority section enables you to sign certificates with subject alternative names. It is false by default for security reasons but can be enabled if you need to sign certificates with subject alternative names. Be aware that enabling the setting could allow agent nodes to impersonate other nodes (including the nodes that already have signed certificates). Consequently, you must carefully inspect any CSRs with SANs attached. puppet cert sign previously allowed this via a flag, but puppetserver ca sign requires it to be configured in the config file.

The allow-authorization-extensions setting in the certificate-authority section also enables you to sign certs with authorization extensions. It is false by default for security reasons, but can be enabled if you know you need to sign certificates this way. puppet cert sign used to allow this via a flag, but puppetserver ca sign requires it to be configued in the config file.

Infrastructure CRL settings

Puppet Server is able to create a separate CRL file containing only revocations of Puppet infrastructure nodes. This behavior is turned off by default. To enable it, set certificate-authority.enable-infra-crl to true.

Status settings (deprecated)

The certificate-status setting in ca.conf provides deprecated configuration options for access to the certificate_status and certificate_statuses HTTP endpoints. These endpoints allow certificates to be signed, revoked, and deleted through HTTP requests, which provides full control over Puppet's ability to securely authorize access. Therefore, you should always restrict access to ca.conf.

Puppet Enterprise Note: Puppet Enterprise uses these endpoints to provide a console interface for certificate signing. For more information, see Certificate Status.

The certificate-status setting takes two parameters: authorization-required and client-allowlist. If authorization-required is set to true or not set, and client-allowlist is set to an empty list or not set, Puppet Server uses the authorization methods and new auth.conf format introduced in Puppet Server 2.2 to control access to the administration API endpoints.

  • authorization-required determines whether a client certificate is required to access certificate status endpoints. If this parameter is set to false, all requests can access this API. If set to true, only the clients whose certificate names are included in the client-allowlist setting can access the admin API. If this parameter is not specified but the client-allowlist parameter is, this parameter's value defaults to true.

  • client-allowlist contains a list of client certificate names that are whitelisted for access to the certificate status endpoints. Puppet Server denies access to requests at these endpoints that do not present a valid client certificate named in this list.

Example (Deprecated)

If you are using the deprecated authorization methods, follow this structure to configure certificate_status and certificate_statuses endpoint access in ca.conf, whitelisting a client named host1:

certificate-authority: {
   # deprecated in favor of auth.conf
   certificate-status: {
       authorization-required: true
       client-allowlist: [host1]
   }
}