Hi, I am wondering how people are handling certificates for workstations whose names commonly change. I am using Puppet to manage Mac workstations. When they initially come on network, they haven''t been named, dynamic dns has not updated and they have the potential to have name conflicts. I wind up with different cert requests for the same machine. If I use autosign, the names will be completely wrong. What I''d like to do is probably create the cert request on the client side using the en0 macaddress of the machine or something unique rather than the current fqdn of the host. I realize that I could do this on the server, but that requires out of band distribution of the cert to the client right? Thanks, Kyle --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Nigel Kersten
2008-Sep-29 17:06 UTC
[Puppet Users] Re: certificate strategy for workstations
On Mon, Sep 29, 2008 at 8:56 AM, Crawford Kyle <kcrwfrd@gmail.com> wrote:> > Hi, > > I am wondering how people are handling certificates for workstations > whose names commonly change. > > I am using Puppet to manage Mac workstations. When they initially > come on network, they haven''t been named, dynamic dns has not updated > and they have the potential to have name conflicts. I wind up with > different cert requests for the same machine. > > If I use autosign, the names will be completely wrong. What I''d like > to do is probably create the cert request on the client side using > the en0 macaddress of the machine or something unique rather than the > current fqdn of the host. I realize that I could do this on the > server, but that requires out of band distribution of the cert to the > client right? > > Thanks, >Kyle, we use a UUID for all our clients for this exact problem. Our puppet installation creates puppet.conf with the output of uuidgen | tr [A-Z] [a-z] instead so that''s the certname that''s requested by the client. You could easily make it something related to the en0 MAC if you wanted. -- Nigel Kersten Systems Administrator Tech Lead - MacOps --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Crawford Kyle
2008-Sep-29 19:35 UTC
[Puppet Users] Re: certificate strategy for workstations
On Sep 29, 2008, at 1:06 PM, Nigel Kersten wrote:> > On Mon, Sep 29, 2008 at 8:56 AM, Crawford Kyle <kcrwfrd@gmail.com> > wrote: >> >> Hi, >> >> I am wondering how people are handling certificates for workstations >> whose names commonly change. >> >> I am using Puppet to manage Mac workstations. When they initially >> come on network, they haven''t been named, dynamic dns has not updated >> and they have the potential to have name conflicts. I wind up with >> different cert requests for the same machine. >> >> If I use autosign, the names will be completely wrong. What I''d like >> to do is probably create the cert request on the client side using >> the en0 macaddress of the machine or something unique rather than the >> current fqdn of the host. I realize that I could do this on the >> server, but that requires out of band distribution of the cert to the >> client right? >> >> Thanks, >> > > Kyle, we use a UUID for all our clients for this exact problem. > > Our puppet installation creates puppet.conf with the output of uuidgen > | tr [A-Z] [a-z] instead so that''s the certname that''s requested by > the client. > > You could easily make it something related to the en0 MAC if you > wanted.Ah certname in puppet.conf. Excellent. Thanks Nigel, Kyle --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---