Feature #2839
print fingerprint for certificates
| Status: | Closed | Start date: | 11/19/2009 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: |  Brice Figureau |
% Done: | 0% |
|
| Category: | SSL | |||
| Target version: | 2.6.0 | |||
| Affected Puppet version: | 0.25.1 | Branch: | http://github.com/masterzen/puppet/tree/tickets/master/2395 | |
| Keywords: | ssl, puppetca, fingerprints | |||
| Votes: | 1 |
Description
It should be possible to print the fingerprint of a client certificate, as well puppetca should show fingerprints for signing requests.
Like this you could completely avoid a possible man-in-the-middle from the very beginning on (during certification upload / signing process), as you can easily verify both fingerprints.
Currently you could use @puppetca —print@ on the master to examine the certificate, however I don’t know any easy command for that on the client, nor I was able to find one. And using @puppetca@ on the client somehow doesn’t work.
Hence the idea would be that you do a certificate request on the client, which would upload the cert to the master and print out the Fingerprint. It would also be nice if either @puppetca —print@ would work or if there is something like @puppetd —print-fingerprint@
On the master then puppetca —list should show besides the fqdn the fingerprint of the request. And you could easily compare them.
History
Updated by James Turnbull over 2 years ago
- Status changed from Unreviewed to Accepted
- Target version set to 2.6.0
Updated by Brice Figureau over 2 years ago
- Status changed from Accepted to In Topic Branch Pending Review
- Assignee set to Brice Figureau
- Branch set to http://github.com/masterzen/puppet/tree/tickets/master/2395
Patch sent to puppet-dev. The code is available along with #2395 in my github repository branch tickets/master/2395: http://github.com/masterzen/puppet/tree/tickets/master/2395
Updated by Todd Zullinger over 2 years ago
FWIW, the spec file in conf/redhat includes puppetca in the client package as of 0.25.1rc1, since it has various uses on clients.
Updated by James Turnbull over 2 years ago
- Status changed from In Topic Branch Pending Review to Closed
Updated by James Turnbull over 2 years ago
Correct commit is commit:3e9677f00a09d0249713ed2fa503e42b07f6d978 in branch master.