You are browsing a read-only backup copy of Wikitech. The live site can be found at wikitech.wikimedia.org
Puppet-ecdsacert: Difference between revisions
imported>Filippo Giunchedi (Fix public key path, move keys to /srv/private) |
imported>Filippo Giunchedi No edit summary |
||
| Line 17: | Line 17: | ||
<code>/var/lib/puppet/server/ssl/ca/signed/CERTNAME.pem</code> | <code>/var/lib/puppet/server/ssl/ca/signed/CERTNAME.pem</code> | ||
Once you've generated those files, you should move the private key to the private puppet repo under /srv/private as a secret, and the public cert inside the main puppet repository | Once you've generated those files, you should move the private key to the private puppet repo under /srv/private as a secret, and the public cert inside the main puppet repository with <tt>.crt</tt> extension. | ||
Revision as of 15:29, 22 February 2017
It is now possible to generate general-purpose ECDSA certificates using our internal puppet CA and then use those for serving HTTPS traffic internally.
All of the following assumes you're operating on our pupppet active CA server.
Usage is pretty simple:
puppet-ecdsacert -a SAN1,SAN2,SAN3 CERTNAME
will take care of generating the cert, creating the CSR, submitting it to the puppet CA and signing it.
You can control the output directories with a config file, but by default the private key will be at:
/var/lib/puppet/ssl/private_keys/CERTNAME.pem
and the public signed cert will be at
/var/lib/puppet/server/ssl/ca/signed/CERTNAME.pem
Once you've generated those files, you should move the private key to the private puppet repo under /srv/private as a secret, and the public cert inside the main puppet repository with .crt extension.