ca.conf

Sections

The ca.conf file configures settings for the Puppet Server Certificate Authority (CA) service. For an overview, see Puppet Server Configuration.

Signing settings

The allow-subject-alt-names setting in the certificate-authority section enables you to sign certs with subject alternative names. It is false by default for security reasons, but can be enabled if you need to sign certs with subject alternative names. puppet cert sign used to allow this via a flag, but puppetserver ca sign requires it to be configured in the config file.

The allow-authorization-extensions setting in the certificate-authority section enables you to sign certs with authorization extensions. It is false by default for security reasons, but can be enabled if you know you need to sign certs this way. puppet cert sign used to allow this via a flag, but puppetserver ca sign requires it to be configued in the config file.

Infrastructure CRL settings

Puppet Server is able to create a separate CRL file containing only revocations of Puppet infrastructure nodes. This behavior is turned off by default. To enable it, set certificate-authority.enable-infra-crl to true.

How helpful was this page?

If you leave us your email, we may contact you regarding your feedback. For more information on how Puppet uses your personal information, see our privacy policy.

Puppet sites use proprietary and third-party cookies. By using our sites, you agree to our cookie policy.