Thorsten Sandfuchs wrote:> Hio, > I''m looking for a way to manage openssl client/server classes which correspond > to each other. As I don''t want to reinvent the wheel, I''d be glad if someone > could share his solution? :) > > It should be possible to provide and distribute ssl-certificates corresponding > to one (or perhaps even many) CAs and for any daemon necessary. E.g. ldap, > apache, openvpn - just to enumerate a few.You can already use Puppet''s CA to generate any cert you want -- I''m using certs generated by Puppet for http, imap, smtp, and ldap. Just do ''puppetca -g <hostname>''. As to distribution... It''s pretty easy if you''re only doing a few of these, since you can just drop them into your file distribution tree. If you''re doing a lot of them, then you''d want some way to automatically create them, which isn''t the easiest to do in Puppet right now.> And it should provide some options in specifying fancy things like subject > alternative name and NScertType et all.Puppet''s CA does not support this, but I wouldn''t think it''d be that difficult to do.> I was thinking about using QuickCert for this because it''s in ruby and seems > like a good way to generate those things.I used QuickCert to show me how to do most of what Puppet''s CA does, but I expect you''ll find Puppet''s CA easier to use in the end. -- The major difference between a thing that might go wrong and a thing that cannot possibly go wrong is that when a thing that cannot possibly goes wrong goes wrong it usually turns out to be impossible to get at or repair. -- Douglas Adams, Mostly Harmless --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com
On Thursday 26 October 2006 21:13, Luke Kanies wrote:> You can already use Puppet''s CA to generate any cert you want -- I''m > using certs generated by Puppet for http, imap, smtp, and ldap. Just do > ''puppetca -g <hostname>''. > > As to distribution... It''s pretty easy if you''re only doing a few of > these, since you can just drop them into your file distribution tree. > If you''re doing a lot of them, then you''d want some way to automatically > create them, which isn''t the easiest to do in Puppet right now.It''d be great to have a puppet type for that: node puppetmaster { sslca { "CA Parent": o => Orga, ou => Unit, } } node webserver { sslcert { $hostname: key => "/etc/apache/ssl/$hostname.key", cert => "/etc/apache/ssl/$hostname.crt" } } If you alread have the code in puppetca, this shouldn''t be much[1]? Regards, David [1] Wisdom of the ignorant ;) -- - hallo... wie gehts heute? - *hust* gut *rotz* *keuch* - gott sei dank kommunizieren wir über ein septisches medium ;) -- Matthias Leeb, Uni f. angewandte Kunst, 2005-02-15 _______________________________________________ Puppet-users mailing list Puppet-users@madstop.com https://mail.madstop.com/mailman/listinfo/puppet-users
David Schmitt wrote:> > It''d be great to have a puppet type for that: > > node puppetmaster { > sslca { "CA Parent": > o => Orga, > ou => Unit, > } > } > > node webserver { > sslcert { $hostname: > key => "/etc/apache/ssl/$hostname.key", > cert => "/etc/apache/ssl/$hostname.crt" > } > } > > If you alread have the code in puppetca, this shouldn''t be much[1]?You are correct, that should not take much code. I''ll gladly accept that patch. :) I might get to it some day, but it doesn''t seem likely considering my current workload and travel schedule, and the fact that there are something like 428,367 enhancement requests in Trac right now. -- The Chico, California, City Council enacted a ban on nuclear weapons, setting a $500 fine for anyone detonating one within city limits. --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com