I have worked out a way forward, implement hashicorp vault as a CA and using puppet issue certificates from the vault CA. this CA could replace the puppet CA or just be a stand alone CA and as long as I distribute the CA Cert to all boxes on the system we will have trust.
On Wednesday, 16 June 2021 at 03:12:38 UTC+10 barry haycock wrote: > I have been tasked to upgrade a Puppet 3.x to Puppet 6.x, this will no no > mean feat as the current environment covers over 600 nodes. > > One of the items that will cause problems is that the old system heavily > uses the old module Aethylred/keymaster, to manage x509 keypairs from the > local Puppet CA. This module is know no longer supported and will not work > without an extensive rewrite with the new Puppet CA architecture. That is a > path I didn't want to go down. > > What I was wondering, and I haven't been able to find a replacement are > there similar options open to me in using certificates issued from the > local Puppet CA? > I have written a module for another puppet environment that manages > certificates from the corporate CA, once they are issued, are then stored > in hiera. It is looking like, I may have to use that module and manually > request Puppet CA keypairs, and place them into the appropriate hiera file, > and allow Puppet and Java_ks manage them from there and apply monitoring on > the certs to warn of expiry. > > Are there any options for using the Puppet CA to issue/manage keypairs > programmatically? > > Barry > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/7667054f-700c-43ec-bbce-2dd04965ee24n%40googlegroups.com.
