DEV Community

Martin Alfke for betadots

Posted on

2 2

Extending Puppet CA

Puppet encrypts connections using a self-signed OpenSSL based CA.
Usually a Puppet CA has a validity of 5 years. At initial Installation one can configure the ca_ttl setting:

puppet config set --section server ca_ttl 10y

Existing installations can extend the CA e.g. by using the following script which has been made public by Neeloy on Puppet Community Slack channel:

cd /etc/puppetlabs/puppet/ssl/ca
(openssl rsa -noout -modulus -in ca_key.pem  2> /dev/null | openssl md5 ; openssl x509 -noout -modulus -in ca_crt.pem  2> /dev/null | openssl md5 )
# Generate new CSR
openssl x509 -x509toreq -in ca_crt.pem -signkey ca_key.pem -out ca_csr.pem
# Sign
cat > extension.cnf << EOF
[CA_extensions]
basicConstraints = critical,CA:TRUE
nsComment = "Puppet Ruby/OpenSSL Internal Certificate"
keyUsage = critical,keyCertSign,cRLSign
subjectKeyIdentifier = hash
EOF
cp ca_crt.pem ca_crt.pem.old
openssl x509 -req -days 3650 -in ca_csr.pem -signkey ca_key.pem -out ca_crt.pem -extfile extension.cnf -extensions CA_extensions
openssl x509 -in ca_crt.pem -noout -text|grep -A 3 Validity
chown -R puppet: ./*
cd /etc/puppetlabs/puppet/ssl
cp -a ca/ca_crt.pem certs/ca.pem
Enter fullscreen mode Exit fullscreen mode

Another solution is using the Puppet ca_extend Modul which uses tBolt tasks and plans to extend an existing CA.

Happy hacking and fun by continuing using Puppet.

Top comments (0)

Image of Docusign

🛠️ Bring your solution into Docusign. Reach over 1.6M customers.

Docusign is now extensible. Overcome challenges with disconnected products and inaccessible data by bringing your solutions into Docusign and publishing to 1.6M customers in the App Center.

Learn more