All, I was wondering if it's possible to change the autosign behavior that it will allow to autosign certs with alternative DNS entries. Currently the problem is if an auto scaling events create another master the autosign on CA will fail, because it has alternative DNS entries. We also tried to use an external autosign script, but the result is the same. I understand that's a potential security risk, but we have other measures in place to make it safe. Alternatively we could embed the presigned certs in the cloud init process, but we would like to avoid that. thank you, Dejan -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/b19b3c8a-53f4-46b3-bc17-65f6900ac515%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.