Infrastructure certificate revocation list (CRL)

The Puppet Server CA can create a CRL that contains only revocations of those nodes that agents are expected to talk to during normal operations, for example, compile primary servers or hosts that agents connect to as part of agent-side functions. Puppet Server CA can distribute that CRL to agents, rather than the CRL it maintains with all node revocations.

To create a smaller CRL, manage the content of the file at $cadir/infra_inventory.txt. Provide a newline-separated list of the certnames. When revoked, they are added to the Infra CRL. The certnames must match existing certificates issued and maintained by the Puppet Server CA. Setting the value certificate-authority.enable-infra-crl to true causes Puppet Server to update both its Full CRL and its Infra CRL with the certs that match those certnames when revoked. When agents first check in, they receive a CRL that includes only the revocations of certnames listed in the infra_inventory.txt.

The infrastructure certificate revocation list is disabled by default in open source Puppet. To toggle it, update enable-infra-crl in the certificate-authority section of puppetserver.conf.

This feature is disabled by default because the definition of what constitutes an "infrastructure" node is site-specific and sites with a standard, single primary server configuration have no need for the additional work. After having enabled the feature, if you want to go back, remove the explicit setting and reload Puppet Server to turn the default off; then, when agents first check, they receive the Full CRL as before (including any infrastructure nodes that were revoked while the feature was enabled).