I've done this for a few nodes but I'm not sure how this would be an improvement over just enabling autosign. Private keys should remain private to a node and should never be transmitted over the network if possible.
On Wednesday, March 28, 2018 at 3:10:35 PM UTC-4, Eric Sorenson wrote: > > Is anybody out there pre-generating certificates for your agents? I've > heard whispered tales of some folks doing this but we're starting work on > improving the CA / signing / revocation workflow and it'd be great to talk > to somebody directly. The workflow would be using 'puppet cert generate' on > the master/CA then distributing both the private key and the resulting > certificate in some secure, out-of-band mechanism (cloud-init?) to the > nodes, so the agent finds the CA cert as well as its own key/cert pair > ready and waiting when it starts up, bypassing the CSR > generation/submission completely. > > --eric0 > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/7a75eaf6-b71a-4b34-9b76-fe6dbf6f96fd%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
