autosign.conf: Basic certificate autosigning

The autosign.conf file can allow certain certificate requests to be automatically signed. It is only valid on the CA primary Puppet server; a primary server not serving as a CA does not use autosign.conf.

CAUTION: Because any host can provide any certname when requesting a certificate, basic autosigning is insecure. Use it only when you fully trust any computer capable of connecting to the primary server.
Puppet also provides a policy-based autosigning interface using custom policy executables, which can be more flexible and secure than the autosign.conf allowlist but more complex to configure.

For more information, see the documentation about certificate autosigning.

Location

Puppet looks for autosign.conf at $confdir/autosign.conf by default. To change this path, configure the autosign setting in the [server] section of puppet.conf.

The default confdir path depends on your operating system. See the confdir documentation for more information.

Note: The autosign.conf file must not be executable by the primary server user account. If the autosign setting points to an executable file, Puppet instead treats it like a custom policy executable even if it contains a valid autosign.conf allowlist.

Format

The autosign.conf file is a line-separated list of certnames or domain name globs. Each line represents a node name or group of node names for which the CA primary server automatically signs certificate requests.

rebuilt.example.com
*.scratch.example.com
*.local

Domain name globs do not function as normal globs: an asterisk can only represent one or more subdomains at the front of a certname that resembles a fully qualified domain name (FQDN). If your certnames don’t look like FQDNs, the autosign.conf allowlist might not be effective.

Note: The autosign.conf file can safely be an empty file or not-existent, even if the autosign setting is enabled. An empty or non-existent autosign.conf file is an empty allowlist, meaning that Puppet does not autosign any requests. If you create autosign.conf as a non-executable file and add certnames to it, Puppet then automatically uses the file to allow incoming requests without needing to modify puppet.conf.

To explicitly disable autosigning, set autosign = false in the [server] section of the CA primary server's puppet.conf, which disables CA autosigning even if autosign.conf or a custom policy executable exists.