Feature #6029
Provide puppetca option to renew CAcert and propagate to clients.
| Status: | Accepted | Start date: | 01/27/2011 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | - | % Done: | 0% |
|
| Category: | SSL | |||
| Target version: | 3.X | |||
| Affected Puppet version: | Branch: | |||
| Keywords: | puppetca ca ca.pem crl.pem cert ssl renew | |||
| Votes: | 2 |
Description
I noticed while setting up a puppet master that the CA cert it generates has an expiration date five years in the future. This fact came at about the time that I realized I’d been in charge of a particular set of systems for five years myself, and that timescale suddenly appeared more personally finite to me.
What would be helpful is to have some kind of puppetca command that can generate a new CA Cert, sign it with the old one, and somehow make use of the web of trust to deploy it (and perhaps an updated CRL, if necessary) to every client.
This would help when, four and a half years down the line, you realize it’s getting time to think about renewing that cert.
History
Updated by James Turnbull over 1 year ago
- Status changed from Unreviewed to Needs Decision
- Assignee set to Nigel Kersten
Updated by Nigel Kersten about 1 year ago
- Status changed from Needs Decision to Accepted
- Assignee deleted (
Nigel Kersten) - Target version set to 3.X