Hi, It may be obvious but I don''t understand what the ''ca/ca_*.pem'' and the ''certs/ca.pem'' files stand for :( It sounds a bit ''redundant'' to me.... Someone has an explanation ? Best regards, -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Mon, Mar 22, 2010 at 2:01 PM, Arnauld <a.michelizza@gmail.com> wrote:> Hi, > > It may be obvious but I don''t understand what the ''ca/ca_*.pem'' and > the ''certs/ca.pem'' files stand for :( > It sounds a bit ''redundant'' to me.... > Someone has an explanation ? > >Hi Arnauld, Have you seen http://projects.reductivelabs.com/projects/puppet/wiki/Certificates_And_Security... it goes into a bit more detail than you would like, perhaps. CA means "certificate authority". PEM is a certificate format. In short (copying from Dan''s notes): 1. ca/private/ca.pass - stores the password for the CA''s private key. 2. ca/signed/ - directory where all signed certificates are stored, these are created by puppet --sign (or automatically is auto-signing is enabled) 3. ca/requests/ - this is where pending requests are stored, they are removed when puppetca --sign is run 4. ca/ca_key.pem - Private key for the CA (this is what it uses to sign things?) 5. ca/ca_crl.pem - this the the list of certificates that have been revoked. 6. ca/ca_crt.pem - this is the self signed certificate for the CA. 7. ca/ca_pub.pem - public key 8. ca/inventory.txt - list of all keys that have been signed. 9. ca/serial - CA''s counter that ensures a unique ID for each key. Hope that helps! --Michael -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Mon, Mar 22, 2010 at 11:39 AM, Michael DeHaan <michael@reductivelabs.com>wrote:> > > On Mon, Mar 22, 2010 at 2:01 PM, Arnauld <a.michelizza@gmail.com> wrote: > >> Hi, >> >> It may be obvious but I don''t understand what the ''ca/ca_*.pem'' and >> the ''certs/ca.pem'' files stand for :( >> It sounds a bit ''redundant'' to me.... >> Someone has an explanation ? >> >> > Hi Arnauld, > > Have you seen > http://projects.reductivelabs.com/projects/puppet/wiki/Certificates_And_Security... it goes into a bit more detail than you would like, perhaps. > > CA means "certificate authority". PEM is a certificate format. > > In short (copying from Dan''s notes): > > > 1. ca/private/ca.pass - stores the password for the CA''s private key. > 2. ca/signed/ - directory where all signed certificates are stored, > these are created by puppet --sign (or automatically is auto-signing is > enabled) > 3. ca/requests/ - this is where pending requests are stored, they are > removed when puppetca --sign is run > 4. ca/ca_key.pem - Private key for the CA (this is what it uses to sign > things?) > 5. ca/ca_crl.pem - this the the list of certificates that have been > revoked. > 6. ca/ca_crt.pem - this is the self signed certificate for the CA. > 7. ca/ca_pub.pem - public key > 8. ca/inventory.txt - list of all keys that have been signed. > 9. ca/serial - CA''s counter that ensures a unique ID for each key. > > >this list is missing the cert that you asked about :) cert/ca.pem - this is the CA''s cert that is used to establish trust. As in, I trust people that have been signed by this certificate. This file exists on both the client and server.> Hope that helps! > > --Michael > > > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> > . > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Thanks a lot, it''s more clear now :) But I have another ssl question... When a client try to establish a connection with the master, is there a double check ? I mean, does the client verify the master authenticity and reciprocally ? --Arnauld -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.