On Wed, Aug 5, 2020 at 9:10 AM [email protected] < [email protected]> wrote:
> Is it possible to configure the automatic signing of certificates in such > a way that verification takes place according to a parameter in the config > on the client. For example, the client config will contain the line: > > autosign=5e8ff9bf55ba3508199d22e984129be6 > > Thus, if the md5 hash is correct, then the CA will sign the certificate > I think the thing you're describing is an example of using a CSR Attribute with a policy based autosigner. This is the entry to the docs pages about that: https://puppet.com/docs/puppet/6.17/ssl_attributes_extensions.html. The tl;dr is that you write a special yaml file to the agent and the agent will include the data in that file in its CSR to the CA. Then you configure the CA to call a script you write to decide if the cert should be signed. Your script can then validate that the CSR contains the correct data attached. hth, Justin > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/825db62a-0163-4b51-b9f5-eac183136ae0n%40googlegroups.com > <https://groups.google.com/d/msgid/puppet-users/825db62a-0163-4b51-b9f5-eac183136ae0n%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CA%2B%3DBEqVehMU2GyU9v7idLdGij0d8HZphRKn28QiBdJcvw2KD%2Bw%40mail.gmail.com.
