External CA

This information describes the supported and tested configurations for external CAs in this version of Puppet. If you have an external CA use case that isn’t listed here, contact Puppet so we can learn more about it.

Supported external CA configurations

This version of Puppet supports some external CA configurations, however not every possible configuration is supported.

We fully support the following setup options:

Single CA which directly issues SSL certificates.
Puppet Server functioning as an intermediate CA.

Fully supported by Puppet means:

If issues arise that are considered bugs, we'll fix them as soon as possible.
If issues arise in any other external CA setup that are considered feature requests, we’ll consider whether to expand our support.

Option 1: Puppet Server functioning as an intermediate CA

Puppet Server can operate as an intermediate CA to an external root CA.

See Using Puppet Server as an intermediate certificate authority.

Option 2: Single CA

When Puppet uses its internal CA, it defaults to a single CA configuration. A single externally issued CA can also be used in a similar manner.

This is an all or nothing configuration rather than a mix-and-match. When using an external CA, the built-in Puppet CA service must be disabled and cannot be used to issue SSL certificates.

Note: Puppet cannot automatically distribute certificates in this configuration.

Puppet Server

Configure Puppet Server in three steps:

Disable the internal CA service.
Ensure that the certname does not change.
Put certificates and keys in place on disk.

Edit the Puppet Server/etc/puppetlabs/puppetserver/services.d/ca.cfg file:
1. To disable the internal CA, comment out puppetlabs.services.ca.certificate-authority-service/certificate-authority-service and uncomment puppetlabs.services.ca.certificate-authority-disabled-service/certificate-authority-disabled-service.
Set a static value for the certname setting in puppet.conf:
```
[server]
certname = puppetserver.example.com
```
Setting a static value prevents any confusion if the machine's hostname changes. The value must match the certname you’ll use to issue the server's certificate, and it must not be blank.

Put the credentials from your external CA on disk in the correct locations. These locations must match what’s configured in your webserver.conf file.

If you haven’t changed those settings, run the following commands to find the default locations.


Credential	File location
Server SSL certificate	`puppet config print hostcert --section server`
Server SSL certificate private key	`puppet config print hostprivkey --section server`
Root CA certificate	`puppet config print localcacert --section server`
Root certificate revocation list	`puppet config print hostcrl --section server`

If you’ve put the credentials in the correct locations, you don't need to change any additional settings.

Puppet agent

You don’t need to change any settings. Put the external credentials into the correct filesystem locations. You can run the following commands to find the appropriate locations.


Credential	File location
Agent SSL certificate	`puppet config print hostcert --section agent`
Agent SSL certificate private key	`puppet config print hostprivkey --section agent`
Root CA certificate	`puppet config print localcacert --section agent`
Root certificate revocation list	`puppet config print hostcrl --section agent`

General notes and requirements

PEM encoding of credentials is mandatory

Puppet expects its SSL credentials to be in .pem format.

Normal Puppet certificate requirements still apply

Any Puppet Server certificate must contain the DNS name, either as the Subject Common Name (CN) or as a Subject Alternative Name (SAN), that agent nodes use to attempt contact with the server.

Client DN authentication

Puppet Server is hosted by a Jetty web server; therefore. For client authentication purposes, Puppet Server can extract the distinguished name (DN) from a client certificate provided during SSL negotiation with the Jetty web server.

The use of an X-Client-DN request header is supported for cases where SSL termination of client requests needs to be done on an external server. See External SSL Termination with Puppet Server for details.

Web server configuration

Use the webserver.conf file for Puppet Server to configure Jetty. Several ssl- settings can be added to the webserver.conf file to enable the web server to use the correct SSL configuration:

ssl-cert: The value of puppet server --configprint hostcert. Equivalent to the ‘SSLCertificateFile’ Apache config setting.
ssl-key: The value of puppet server --configprint hostprivkey. Equivalent to the ‘SSLCertificateKeyFile’ Apache config setting.
ssl-ca-cert: The value of puppet server --configprint localcacert. Equivalent to the ‘SSLCACertificateFile’ Apache config setting.
ssl-cert-chain: Equivalent to the ‘SSLCertificateChainFile’ Apache config setting. Optional.
ssl-crl-path: The path to the CRL file to use. Optional.

An example webserver.conf file might look something like this:

webserver: { 
 client-auth : want  
 ssl-host    : 0.0.0.0  
 ssl-port    : 8140  
 ssl-cert    : /path/to/server.pem  
 ssl-key     : /path/to/server.key  
 ssl-ca-cert : /path/to/ca_bundle.pem  
 ssl-cert-chain : /path/to/ca_bundle.pem  
 ssl-crl-path : /etc/puppetlabs/puppet/ssl/crl.pem
}

For more information on these settings, seeConfiguring the Web Server Service.

Restart required

After the above changes are made to Puppet Server’s configuration files, you’ll have to restart the Puppet Server service for the new settings to take effect.