Provide puppetca option to renew CAcert and propagate to clients.
|Affected Puppet version:||Branch:|
|Keywords:||puppetca ca ca.pem crl.pem cert ssl renew|
I noticed while setting up a puppet master that the CA cert it generates has an expiration date five years in the future. This fact came at about the time that I realized I’d been in charge of a particular set of systems for five years myself, and that timescale suddenly appeared more personally finite to me.
What would be helpful is to have some kind of puppetca command that can generate a new CA Cert, sign it with the old one, and somehow make use of the web of trust to deploy it (and perhaps an updated CRL, if necessary) to every client.
This would help when, four and a half years down the line, you realize it’s getting time to think about renewing that cert.