Puppet stores its certificate infrastructure in the SSL directory (ssldir) which has a similar structure on all Puppet nodes, whether they are agent nodes, Puppet masters, or the certificate authority (CA) master.
By default, the ssldir is a subdirectory of the confdir.
ssldirsetting in the
puppet.conffile. See the Configuration reference for more information.
$confdir/puppet.conffile, usually in the
To see the location of the
ssldir on one of your nodes, run:
config print ssldir
The ssldir contains Puppet certificates, private keys, certificate signing requests (CSRs), and other cryptographic documents.
A private key:
A signed certificate:
A copy of the CA certificate:
A copy of the certificate revocation list (CRL):
A copy of its sent CSR:
$ openssl rsa -in $(puppet config print hostprivkey) -pubout
If these files don’t exist on a node, it's because they are generated locally or requested from the CA Puppet master.
Agent and master credentials are identified by certname, so an agent process and a master process running on the same server can use the same credentials.
The ssldir for the Puppet CA, which runs
on the CA master, contains similar credentials:
private and public keys, a certificate, and a
master copy of the CRL. It maintains a list of all
signed certificates in the deployment, a copy of
each signed certificate, and an incrementing
serial number for new certificates. To keep it
separated from general Puppet credentials on
the same server, all of the CA’s data is stored in
The ssldir directory structure
All of the files and directories in
ssldir directory have
corresponding Puppet settings, which can be used to change their
locations. Generally, though, don't change the
default values unless you have a specific problem
to work around.
the permissions mode of the ssldir is
0771. The directory and each file in it is owned
by the user that Puppet runs as: root or
Administrator on agents, and defaulting
pe-puppet on a master. Set up
automated management for ownership and permissions
on the ssldir.
cadirectory (on the CA master only): Contains the files used by Puppet’s certificate authority. Mode: 0755. Setting:
ca_crl.pem: The master copy of the certificate revocation list (CRL) managed by the CA. Mode: 0644. Setting:
ca_crt.pem: The CA’s self-signed certificate. This cannot be used as a master or agent certificate; it can only be used to sign certificates. Mode: 0644. Setting:
ca_key.pem: The CA’s private key, and one of the most security-critical files in the Puppet certificate infrastructure. Mode: 0640. Setting:
ca_pub.pem: The CA’s public key. Mode: 0644. Setting:
inventory.txt: A list of the certificates the CA signed, along with their serial numbers and validity periods. Mode: 0644. Setting:
requests(directory): Contains the certificate signing requests (CSRs) that have been received but not yet signed. The CA deletes CSRs from this directory after signing them. Mode: 0755. Setting:
<name>.pem: CSR files awaiting signing.
serial: A file containing the serial number for the next certificate the CA signs. This is incremented with each new certificate signed. Mode: 0644. Setting:
signed(directory): Contains copies of all certificates the CA has signed. Mode: 0755. Setting:
<name>.pem: Signed certificate files.
certificate_requests(directory): Contains CSRs generated by this node in preparation for submission to the CA. CSRs stay in this directory even after they have been submitted and signed. Mode: 0755. Setting:
<certname>.pem: This node’s CSR. Mode: 0644. Setting:
certs(directory): Contains signed certificates present on the node. This includes the node’s own certificate, and a copy of the CA certificate for validating certificates presented by other nodes. Mode: 0755. Setting:
<certname>.pem: This node’s certificate. Mode: 0644. Setting:
ca.pem: A local copy of the CA certificate. Mode: 0644. Setting:
crl.pem: A copy of the certificate revocation list (CRL) retrieved from the CA, for use by agents or masters. Mode: 0644. Setting:
private(directory): Usually, does not contain any files. Mode: 0750. Setting:
password: The password to a node’s private key. Usually not present. The conditions in which this file would exist are not defined. Mode: 0640. Setting:
private_keys(directory): Contains the node's private key and, on the CA, private keys created by the
puppet cert generatecommand. It never contains the private key for the CA certificate. Mode: 0750. Setting:
<certname>.pem: This node’s private key. Mode: 0600. Setting:
public_keys(directory): Contains public keys generated by this node in preparation for generating a CSR. Mode: 0755. Setting:
<certname>.pem: This node’s public key. Mode: 0644. Setting: