Feature #4175
Option to send the puppetmaster certification in addition to the client cert upon registration
| Status: | Accepted | Start date: | 07/08/2010 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | - | % Done: | 0% |
|
| Category: | SSL | |||
| Target version: | - | |||
| Affected Puppet version: | 0.25.5 | Branch: | ||
| Keywords: | ||||
| Votes: | 0 |
Description
In the use case where there are multiple puppetmaster being loadbalanced a puppet client could get its own certificate issued by puppetmasterA while connecting to puppetmasterB afterwards. All puppetmaster certificates are issued by a trusted rootCA.
Using CA chaining puppetmasterB (which trusts the rootCA cert) needs the full CA chain available in order to validate the puppet client (client cert –> puppetmasterA cert –> rootCA cert).
It would be helpful to be able to configure a puppetmaster to send its own certificate in addition to the client cert upon a registration (appending its own cert to the client cert in pem format?).
History
Updated by James Turnbull over 1 year ago
- Category set to SSL
- Status changed from Unreviewed to Needs Decision
- Assignee set to Luke Kanies
Seems reasonable to me. Luke?
Updated by Luke Kanies over 1 year ago
- Status changed from Needs Decision to Accepted
- Assignee deleted (
Luke Kanies)
I’m definitely comfortable with the general case, but I think a lot more needs to be figured out to make this actually work.