Puppet should have an x.509 certificate type and provider
|Assignee:||Jeff McCune||% Done:|
|Affected Puppet version:||0.25.4||Branch:|
|Keywords:||ssl, ca, multiple ca, type, provider|
Impact Data: Everyone using or testing puppet and the x.509 PKI functionality.
Problem statement: It’s currently difficult and time consuming to generate CA and SSL certificates by hand, particularly when testing the use of multiple certificate authorities in puppet. The ability to manage SSL CA and server certificates as native puppet types will assist testing and eliminate the need to deal with complex openssl.cnf configurations.
Expected Behavior: Puppet should be able to create self signed root certificate authorities, signed sub-certificate authorities, CSR’s, and SSL client/server certificates.
Actual Behavior: Currently, SSL certificates are usually created with the Makefile from sial.org or some equivalent tool and raw openssl commands and configuration files.
Additional information: Community members are interested in leveraging the PKI CA built into puppet, however the current implementation is difficult to work with when configuring multiple certificate authorities.