Skip to content
/ puppet_ca_gen Public

Generates more complex root and intermediate CAs for Puppet Enterprise

2 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

dylanratcliffe/puppet_ca_gen

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
.gitignore
.gitignore
 
 
Gemfile
Gemfile
 
 
README.md
README.md
 
 
gen_certs.rb
gen_certs.rb
 
 

Repository files navigation

Cert Bundle Generator

This ruby script is designed to generate cert bundles for Puppet using a single Root CA and many intermediates. This would allow geographically dispersed installations to have a central Root CA and a different intermediate per region, or to use active-active certificate authorities without the need for a synced serial file. e.g.

Root CA
├── UK Intermediate CA
│    └── UK Agents
├── AUS Intermediate CA
│    └── AUS Agents
└── USA Intermediate CA
     └── USA Agents

First, install all dependencies:

bundle install

To generate a root CA bundle:

> bundle exec ruby gen_certs.rb
What type of CA would you like to generate? (root or intermediate)
root
Name of the Root CA:
Super Amazing Global Root CA
Expiry in years: (5)
15
CA Generated, writing to disk...
Creating: root_ca/cert.pem
Creating: root_ca/crl.pem
Creating: root_ca/private_key.pem

The ca bundle will always be created in a folder called root_ca in the current directory. Do not move this as its hardcoded location is used for generating intermediates (yes I know...)

BACK THIS STUFF UP. THE PRIVATE KEY FOR THE ROOT IS ONLY USED WHEN GENERATING NEW INTERMEDIATES, BUT IF YOU LOSE IT IT'S GONE FOREVER.

To generate an intermediate:

> bundle exec ruby gen_certs.rb
What type of CA would you like to generate? (root or intermediate)
intermediate
Subject of this intermediate CA (Usually the FQDN of the Server):
Super Amazing Australian CA
Comma separatedDNS alternative names: ('')
puppet.aus.puppet.com,pe.aus.puppet.com
Expiry in years: (5)

Creating: Super Amazing Australian CA/ca_bundle.pem
Creating: Super Amazing Australian CA/crl_chain.pem
Creating: Super Amazing Australian CA/private_key.pem

Now we have all of the certs generated we can build the Australian Puppet infrastructure and make sure that it uses the correct cert by copying the bundle to the new Puppet Master and adding the following to pe.conf:

{
 "pe_install::signing_ca": {
   "bundle": "/root/ca/ca_bundle.pem"
   "crl_chain": "/root/ca/crl_chain.pem"
   "private_key": "/root/ca/private_key.pem"
 }
}

After this run the installer and the new Puppet master should sign certs under the new intermediate

Possible Expansion

  • Add arguments as well as the "Wizard"
  • Add the ability to have intermediates of intermediates etc.

About

Generates more complex root and intermediate CAs for Puppet Enterprise

Resources

Readme
Activity

Stars

2 stars

Watchers

3 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages